Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Immutable (read-only) root filesystem should be enforced for containers #1120

Closed
8 tasks done
Tracked by #1083
emirgens opened this issue Dec 5, 2023 · 1 comment · Fixed by equinor/radix-operator#1049
Closed
8 tasks done
Tracked by #1083

Immutable (read-only) root filesystem should be enforced for containers #1120

emirgens opened this issue Dec 5, 2023 · 1 comment · Fixed by equinor/radix-operator#1049
Assignees
@nilsgstrabo
Labels
security Issues related to security improvements

Comments

@emirgens
Copy link
Contributor

emirgens commented Dec 5, 2023
edited
Loading

Containers should run with a read only root file system in your Kubernetes cluster. Immutable filesystem protects containers from changes at run-time with malicious binaries being added to PATH.

Implement

  • Dev
  • Playground
  • Platform
  • c2

Additional
@emirgens emirgens mentioned this issue Dec 5, 2023
Closed
7 tasks
@emirgens emirgens added security Issues related to security improvements refinement needed Issues marked for refinement labels Dec 5, 2023
@emirgens
Copy link
Contributor Author

emirgens commented Dec 8, 2023

Start the transition for users to (same procedure as Non-root)
Use readonly filesystem = true
Also be able to mount emptydir writeable and specify size

Changes to operator needed

@Awildev Awildev removed the refinement needed Issues marked for refinement label Dec 8, 2023
@anneliawa anneliawa self-assigned this Jan 11, 2024
@nilsgstrabo nilsgstrabo linked a pull request Feb 7, 2024 that will close this issue
1120 read only file system equinor/radix-operator#1049
Merged
@emirgens emirgens reopened this Mar 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nilsgstrabo nilsgstrabo

Labels
security Issues related to security improvements
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

1120 read only file system equinor/radix-operator
4 participants
@emirgens @nilsgstrabo @anneliawa @Awildev