Set readOnlyRootFilesystem to true in container security context

[gugu]

Proposal

I'm trying to avoid containers eating node's ephemeral storage and have kyverno policy, which checks for readOnlyRootFilesystem. I think it won't be a problem to enable readOnlyRootFilesystem for containers. It will also increase container security by reducing attack scope

$ k describe pod -n mysql ps-db-haproxy-1
...
Warning  PolicyViolation  3m22s  kyverno-scan  policy require-ro-rootfs/validate-readOnlyRootFilesystem fail: validation error: Root filesystem must be read-only. rule validate-readOnlyRootFilesystem failed at path /spec/containers/0/securityContext/

k describe pod -n mysql ps-db-mysql-1
...
Warning  PolicyViolation  26m   kyverno-scan  policy require-ro-rootfs/validate-readOnlyRootFilesystem fail: validation error: Root filesystem must be read-only. rule validate-readOnlyRootFilesystem failed at path /spec/containers/0/securityContext/

Use-Case

No response

Is this a feature you are interested in implementing yourself?

Maybe

Anything else?

No response

[egegunes]

You can configure readOnlyRootFilesystem in containerSecurityContext for all components.

For example:

• MySQL: https://github.com/percona/percona-server-mysql-operator/blob/main/deploy/cr.yaml#L148-L151
• HAProxy: https://github.com/percona/percona-server-mysql-operator/blob/main/deploy/cr.yaml#L344-L347

[gugu]

yes, I can, but I want to suggest better defaults