Read-only root file system #2178
Conversation
Add `readOnlyRootFilesystem` to our Deployments and StatefulSets. Why? Cause it's more securer. One thing I needed to do to make this work was to add a volume for `/tmp`, which I guess is by default part of `/`. This resulted in an actual problem in hive-controllers creating a Session for AWS... but I did it for all the things just in case. This scares me a little bit. For one thing, any time we mess with `securityContext`s we seem to break our friends running hive under vanilla k8s. But also, who knows what corner cases are expecting to be able to write somewhere in the root file system? We won't find out if, like, trying to use additional certs under OpenStack is a problem until some customer tries it. HIVE-2350
|
/hold for testing and risk assessment /test e2e-gcp |
openshift-ci
bot
added
the
do-not-merge/hold
openshift-ci
bot
added
the
approved
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2178 +/- ##
=======================================
Coverage 57.75% 57.75%
=======================================
Files 187 187
Lines 25984 25984
=======================================
Hits 15006 15006
Misses 9723 9723
Partials 1255 1255 |
|
/test security just to make sure we didn't pick up any others before I fix this |
|
/test security |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 2uasimojo, ngraham20 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel 🤞 |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/override ci/prow/security Same low-sev, not-yet-fixed vuln we've been tracking. |
|
@2uasimojo: Overrode contexts on behalf of 2uasimojo: ci/prow/security In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@2uasimojo: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/cherry-pick mce-2.5 |
|
@2uasimojo: new pull request created: #2195 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Add
readOnlyRootFilesystemto our Deployments and StatefulSets. Why? Cause it's more securer.One thing I needed to do to make this work was to add a volume for
/tmp, which I guess is by default part of/. This resulted in an actual problem in hive-controllers creating a Session for AWS... but I did it for all the things just in case.This scares me a little bit. For one thing, any time we mess with
securityContexts we seem to break our friends running hive under vanilla k8s. But also, who knows what corner cases are expecting to be able to write somewhere in the root file system? We won't find out if, like, trying to use additional certs under OpenStack is a problem until some customer tries it.HIVE-2350