Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new feature flag to set readOnlyRootFilesystem for pipelinerun, taskrun and Affinity assistants containers #8183

Open
kristofferchr opened this issue Aug 6, 2024 · 1 comment
Open

Add new feature flag to set readOnlyRootFilesystem for pipelinerun, taskrun and Affinity assistants containers #8183

kristofferchr opened this issue Aug 6, 2024 · 1 comment
Assignees
@kristofferchr
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@kristofferchr
Copy link
Contributor

Feature request

Add a flag to enable setting the readOnlyRootFilesystem field in the securityContext for containers used in pipelinerun and taskrun.

Use case

Containers for taskrun and pipelinerun should follow security best practices by setting the readOnlyRootFilesystem field. This practice, recommended by platforms like Azure Kubernetes Service (AKS), enhances container security.

Implementation:

Introduce feature flag set-security-context-read-only-root-filesystem in ConfigMap feature-flags that sets readOnlyRootFilesystem field for all initcontainers and affinity assistant. This should only be applied when feature set-security-context is enabled.
@kristofferchr kristofferchr added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 6, 2024
@kristofferchr
Copy link
Contributor Author

/assign

This was referenced Aug 6, 2024
Merged
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kristofferchr kristofferchr

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kristofferchr