Skip to content

Add readOnlyRootFilesystem=true to containers missing it #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add readOnlyRootFilesystem=true to containers missing it #112

wants to merge 1 commit into from
+27 −2

Conversation

@cgoncalves
Copy link

@cgoncalves cgoncalves commented Oct 15, 2025
edited
Loading

readOnlyRootFilesystem prevents containers from writing to the root filesystem, reducing attack surface and improving security posture by limiting potential malicious file modifications and ensuring immutable container runtime.

allowPrivilegeEscalation=false prevents containers from gaining additional privileges beyond those initially granted, further hardening the security posture by blocking privilege escalation attacks.

josephdrichard
josephdrichard reviewed Oct 15, 2025
View reviewed changes
bindata/linuxptp/ptp-daemon.yaml
- name: linuxptp-daemon-container
securityContext:
privileged: true
readOnlyRootFilesystem: true
Copy link
Collaborator

@josephdrichard josephdrichard Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do write files

Copy link
Author

@cgoncalves cgoncalves Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where? If in volumes, that is fine.

Copy link
Collaborator

@josephdrichard josephdrichard Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/var/run and /etc/linuxptp/ at least.

Copy link
Author

@cgoncalves cgoncalves Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good feedback. I will wait for the AWS deploy-ec2 CI to get fixed (currently broken). Then, I will handle directories needing write access. I expect CI to be able to validate my PR.

Copy link
Author

@cgoncalves cgoncalves Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, those two /var/run and /etc/linuxptp are already volumes. Those are not impacted by the read-only filesystem.

josephdrichard
josephdrichard previously approved these changes Nov 6, 2025
View reviewed changes
@josephdrichard
Copy link
Collaborator

josephdrichard commented Nov 19, 2025

/retest

1 similar comment
@josephdrichard
Copy link
Collaborator

josephdrichard commented Nov 24, 2025

/retest

@josephdrichard
Copy link
Collaborator

josephdrichard commented Nov 24, 2025

Can you fix merge conflicts? Not sure why tests are failing though

josephdrichard
josephdrichard previously approved these changes Nov 24, 2025
View reviewed changes
@josephdrichard
Copy link
Collaborator

josephdrichard commented Nov 26, 2025

Can you see why tests are failing? This can't merge until tests are passing

@cgoncalves
Add readOnlyRootFilesystem=true to containers missing it
2b4f7b0 
readOnlyRootFilesystem prevents containers from writing to the root filesystem,
reducing attack surface and improving security posture by limiting potential
malicious file modifications and ensuring immutable container runtime.

allowPrivilegeEscalation=false prevents containers from gaining additional
privileges beyond those initially granted, further hardening the security
posture by blocking privilege escalation attacks.

Signed-off-by: Carlos Goncalves <[email protected]>
@cgoncalves
Copy link
Author

cgoncalves commented Nov 26, 2025

If only CI was stable to run the tests.

@josephdrichard
Copy link
Collaborator

josephdrichard commented Nov 26, 2025

@edcdavid Can you tell what the error is?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josephdrichard josephdrichard josephdrichard left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cgoncalves @josephdrichard @edcdavid