-
Notifications
You must be signed in to change notification settings - Fork 13
Add readOnlyRootFilesystem=true to containers missing it #112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
bedb645 to
a425fed
Compare
| - name: linuxptp-daemon-container | ||
| securityContext: | ||
| privileged: true | ||
| readOnlyRootFilesystem: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do write files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where? If in volumes, that is fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/var/run and /etc/linuxptp/ at least.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good feedback. I will wait for the AWS deploy-ec2 CI to get fixed (currently broken). Then, I will handle directories needing write access. I expect CI to be able to validate my PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, those two /var/run and /etc/linuxptp are already volumes. Those are not impacted by the read-only filesystem.
a425fed to
e679142
Compare
e679142 to
a5656f3
Compare
|
/retest |
1 similar comment
|
/retest |
|
Can you fix merge conflicts? Not sure why tests are failing though |
a5656f3 to
1c21110
Compare
|
Can you see why tests are failing? This can't merge until tests are passing |
readOnlyRootFilesystem prevents containers from writing to the root filesystem, reducing attack surface and improving security posture by limiting potential malicious file modifications and ensuring immutable container runtime. allowPrivilegeEscalation=false prevents containers from gaining additional privileges beyond those initially granted, further hardening the security posture by blocking privilege escalation attacks. Signed-off-by: Carlos Goncalves <[email protected]>
1c21110 to
2b4f7b0
Compare
|
If only CI was stable to run the tests. |
|
@edcdavid Can you tell what the error is? |
readOnlyRootFilesystemprevents containers from writing to the root filesystem, reducing attack surface and improving security posture by limiting potential malicious file modifications and ensuring immutable container runtime.allowPrivilegeEscalation=falseprevents containers from gaining additional privileges beyond those initially granted, further hardening the security posture by blocking privilege escalation attacks.