Skip to content

CNTRLPLANE-1285: enable readOnlyRootFilesystem #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+256 −2
Open

CNTRLPLANE-1285: enable readOnlyRootFilesystem #419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
98e80f7
Enable readOnlyRootFilesystem
dusk125 Aug 20, 2025
7b3c8ac
make update
dusk125 Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions assets/common/readOnlyRootFilesystem.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
spec:
template:
spec:
containers:
- name: csi-driver
securityContext:
readOnlyRootFilesystem: true
2 changes: 2 additions & 0 deletions assets/common/sidecars/attacher.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ spec:
spec:
containers:
- name: csi-attacher
securityContext:
readOnlyRootFilesystem: true
image: ${ATTACHER_IMAGE}
imagePullPolicy: IfNotPresent
args:
Expand Down
2 changes: 2 additions & 0 deletions assets/common/sidecars/controller_driver_kube_rbac_proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ spec:
spec:
containers:
- name: kube-rbac-proxy-${LOCAL_METRICS_PORT}
securityContext:
readOnlyRootFilesystem: true
args:
- --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT}
- --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/
Expand Down
2 changes: 2 additions & 0 deletions assets/common/sidecars/host_network_livenessprobe.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ spec:
spec:
containers:
- name: csi-liveness-probe
securityContext:
readOnlyRootFilesystem: true
image: ${LIVENESS_PROBE_IMAGE}
imagePullPolicy: IfNotPresent
terminationMessagePolicy: FallbackToLogsOnError
Expand Down
2 changes: 2 additions & 0 deletions assets/common/sidecars/node_driver_kube_rbac_proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ spec:
spec:
containers:
- name: kube-rbac-proxy-${LOCAL_METRICS_PORT}
securityContext:
readOnlyRootFilesystem: true
args:
- --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT}
- --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/
Expand Down
1 change: 1 addition & 0 deletions assets/common/sidecars/node_driver_registrar.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ spec:
- name: csi-node-driver-registrar
securityContext:
privileged: true
readOnlyRootFilesystem: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dobsonj
How does privileged interact with readOnlyRootFilesystem? Will this make any change since we are already running it as privileged?

image: ${NODE_DRIVER_REGISTRAR_IMAGE}
imagePullPolicy: IfNotPresent
args:
Expand Down
2 changes: 2 additions & 0 deletions assets/common/sidecars/pod_network_livenessprobe.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ spec:
spec:
containers:
- name: csi-liveness-probe
securityContext:
readOnlyRootFilesystem: true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only add the controller sidecar, did not add readOnlyRootFilesystem to driver node.
Do we need to add this parameter to drive node?

Copy link
Member

@tsmetana tsmetana Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The driver assets should get the parameter from assets/common/readOnlyRootFilesystem.yaml: all of them get patched during the final assets generation IIUC. This actually might be problematic too since we can't exclude some of the drivers in case the readOnlyRootFilesystem would break them.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I misunderstood your comment. And I think you're right -- some sidecars don't have the readOnlyFilesystem set it seems and on both node and controller.

image: ${LIVENESS_PROBE_IMAGE}
imagePullPolicy: IfNotPresent
terminationMessagePolicy: FallbackToLogsOnError
Expand Down
2 changes: 2 additions & 0 deletions assets/common/sidecars/provisioner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ spec:
spec:
containers:
- name: csi-provisioner
securityContext:
readOnlyRootFilesystem: true
image: ${PROVISIONER_IMAGE}
imagePullPolicy: IfNotPresent
args:
Expand Down
2 changes: 2 additions & 0 deletions assets/common/sidecars/resizer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ spec:
spec:
containers:
- name: csi-resizer
securityContext:
readOnlyRootFilesystem: true
image: ${RESIZER_IMAGE}
imagePullPolicy: IfNotPresent
args:
Expand Down
2 changes: 2 additions & 0 deletions assets/common/sidecars/snapshotter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ spec:
spec:
containers:
- name: csi-snapshotter
securityContext:
readOnlyRootFilesystem: true
image: ${SNAPSHOTTER_IMAGE}
imagePullPolicy: IfNotPresent
args:
Expand Down
15 changes: 15 additions & 0 deletions assets/overlays/aws-ebs/generated/hypershift/controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
# Applied strategic merge patch pod_network_livenessprobe.yaml
# Applied strategic merge patch common/hypershift/controller_add_affinity_tolerations.yaml
# Applied JSON patch common/hypershift/controller_add_kubeconfig_volume.yaml.patch
# Applied strategic merge patch common/readOnlyRootFilesystem.yaml
# Applied strategic merge patch overlays/aws-ebs/patches/controller_add_hypershift_controller_minter.yaml
#
#
Expand Down Expand Up @@ -127,6 +128,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/aws/keys
Expand Down Expand Up @@ -159,6 +162,8 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/tls/private
Expand Down Expand Up @@ -190,6 +195,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -244,6 +251,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -298,6 +307,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -352,6 +363,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -395,6 +408,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand Down
5 changes: 5 additions & 0 deletions assets/overlays/aws-ebs/generated/hypershift/node.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
# host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml
# host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s]
# Applied strategic merge patch host_network_livenessprobe.yaml
# Applied strategic merge patch common/readOnlyRootFilesystem.yaml
#
#

Expand Down Expand Up @@ -62,6 +63,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/kubelet
Expand Down Expand Up @@ -110,6 +112,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand All @@ -129,6 +132,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand Down
15 changes: 15 additions & 0 deletions assets/overlays/aws-ebs/generated/standalone/controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
# pod_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s]
# Applied strategic merge patch pod_network_livenessprobe.yaml
# Applied strategic merge patch common/standalone/controller_add_affinity.yaml
# Applied strategic merge patch common/readOnlyRootFilesystem.yaml
#
#

Expand Down Expand Up @@ -96,6 +97,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/aws/keys
Expand Down Expand Up @@ -128,6 +131,8 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/tls/private
Expand Down Expand Up @@ -156,6 +161,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -204,6 +211,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -252,6 +261,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -300,6 +311,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -340,6 +353,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand Down
5 changes: 5 additions & 0 deletions assets/overlays/aws-ebs/generated/standalone/node.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
# host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml
# host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s]
# Applied strategic merge patch host_network_livenessprobe.yaml
# Applied strategic merge patch common/readOnlyRootFilesystem.yaml
#
#

Expand Down Expand Up @@ -62,6 +63,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/kubelet
Expand Down Expand Up @@ -110,6 +112,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand All @@ -129,6 +132,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand Down
2 changes: 2 additions & 0 deletions assets/overlays/aws-efs/generated/standalone/controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
Expand Down Expand Up @@ -160,6 +161,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand Down
5 changes: 5 additions & 0 deletions assets/overlays/aws-efs/generated/standalone/node.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
# host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml
# host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s]
# Applied strategic merge patch host_network_livenessprobe.yaml
# Applied strategic merge patch common/readOnlyRootFilesystem.yaml
#
#

Expand Down Expand Up @@ -65,6 +66,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/lib/kubelet
Expand Down Expand Up @@ -123,6 +125,7 @@ spec:
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand All @@ -142,6 +145,8 @@ spec:
requests:
cpu: 10m
memory: 50Mi
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /csi
Expand Down
Loading