Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set readOnlyRootFilesystem: true on control plane and plugin components #11142

Closed
deusxanima opened this issue Jul 20, 2023 · 2 comments · Fixed by #11221
Closed

Set readOnlyRootFilesystem: true on control plane and plugin components #11142

deusxanima opened this issue Jul 20, 2023 · 2 comments · Fixed by #11221
Labels
enhancement good first issue help wanted

Comments

@deusxanima
Copy link
Contributor

What problem are you trying to solve?

Control Plane, Jaeger injector, and linkerd SMI lack the readOnlyRootFilesystem: true setting. This setting defaults to false currently which grants unnecessary write permissions.

How should the problem be solved?

Update Helm charts for all mentioned components to explicitly set readOnlyRootFilesystem: true as the default for said components.

Any alternatives you've considered?

n/a

How would users interact with this feature?

Helm charts

Would you like to work on this feature?

None
@Dev-Arhaan
Copy link

hey I would like to work on this. it seems pretty simple but i have no experience with helm, I'd appreciate if I can contribute and understand this project

@ParthBoghani46
Copy link

hey @deusxanima , i am interested in this can you assign and guide me.

@mikutas mikutas mentioned this issue Aug 8, 2023
Merged
alpeb pushed a commit that referenced this issue Aug 15, 2023
@mikutas
Set readOnlyRootFilesystem: true on control plane / jaeger / multiclu…
51214c0 
…ster (#11221)

Fixes #11142

Signed-off-by: Takumi Sue <[email protected]>
alpeb added a commit that referenced this issue Aug 16, 2023
@alpeb
edge-23.8.3 Change notes
1cf99ce 
This is a release candidate for stable-2.14.0; we encourage you to help trying
it out!

This edge release contains a number of improvements over the multi-cluster
features introduced in the last edge release supporting flat networks. It also
hardens the containers security stance by removing write access to the root
filesystem.

* Enhanced `linkerd multicluster link` to allow clusters to be linked without a
  gateway ([#11226])
* Added cluster store size gauge metric ([#11256])
* Disabled local traffic policy for remote discovery ([#11257])
* Fixed various innocuous multi-cluster warnings ([#11251], [#11246], [#11253])
* Set `readOnlyRootFilesystem: true` in all the containers, as they don't
  require write permissions ([#11221]; fixes [#11142]) (thanks @mikutas!)
@alpeb alpeb mentioned this issue Aug 16, 2023
Merged
alpeb added a commit that referenced this issue Aug 16, 2023
@alpeb
edge-23.8.3 Change notes (#11262)
13157bd 
This is a release candidate for stable-2.14.0; we encourage you to help trying
it out!

This edge release contains a number of improvements over the multi-cluster
features introduced in the last edge release supporting flat networks. It also
hardens the containers security stance by removing write access to the root
filesystem.

* Enhanced `linkerd multicluster link` to allow clusters to be linked without a
  gateway ([#11226])
* Added cluster store size gauge metric ([#11256])
* Disabled local traffic policy for remote discovery ([#11257])
* Fixed various innocuous multi-cluster warnings ([#11251], [#11246], [#11253])
* Set `readOnlyRootFilesystem: true` in all the containers, as they don't
  require write permissions ([#11221]; fixes [#11142]) (thanks @mikutas!)
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement good first issue help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set readOnlyRootFilesystem: true on control plane / jaeger / multicluster mikutas/linkerd2
4 participants
@risingspiral @deusxanima @Dev-Arhaan @ParthBoghani46