Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for read-only root filesystem and enable by default #235

Merged
merged 10 commits into from
Nov 30, 2023
Merged

Add support for read-only root filesystem and enable by default #235

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a5fcfa6
Change /tmp/ansible-operator/runner volume mount path to just /tmp so…
eli-gc Nov 27, 2023
755bc05
mount emptyDir to ansible tmp directory
eli-gc Nov 29, 2023
abc433e
remove opt mount and create env variable for ANSIBlE_LOCAL_TEMP
eli-gc Nov 29, 2023
f65930b
Update localAnsibleTmpPath default value to /tmp/ansible/tmp for bett…
eli-gc Nov 29, 2023
c864a3f
Merge pull request #1 from eli-gc/tmp-testing
eli-gc Nov 29, 2023
f6084c3
read-only filesystem enabled by default
eli-gc Nov 29, 2023
ad9b4d5
hardcode ANSIBLE_LOCAL_TEMP to prevent changes
eli-gc Nov 29, 2023
1834c36
move ANSIBLE_LOCAL_TEMP down with other ansible env vars
eli-gc Nov 29, 2023
439fec5
add ANSIBLE_REMOTE_TEMP env var
eli-gc Nov 30, 2023
f805229
Merge pull request #2 from eli-gc/add-ansible-remote-temp
eli-gc Nov 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions kiali-operator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,14 @@ spec:
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
{{- end }}
volumeMounts:
- mountPath: /tmp/ansible-operator/runner
name: runner
- mountPath: /tmp
name: tmp
env:
- name: WATCH_NAMESPACE
value: {{ .Values.watchNamespace | default "\"\"" }}
Expand All @@ -83,6 +84,8 @@ spec:
value: {{ .Values.allowAdHocKialiNamespace | quote }}
- name: ALLOW_AD_HOC_KIALI_IMAGE
value: {{ .Values.allowAdHocKialiImage | quote }}
- name: ANSIBLE_LOCAL_TEMP
value: {{ .Values.localAnsibleTmpPath | quote }}
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
- name: ALLOW_AD_HOC_OSSMCONSOLE_IMAGE
value: {{ .Values.allowAdHocOSSMConsoleImage | quote }}
Expand Down Expand Up @@ -120,7 +123,7 @@ spec:
{{- toYaml .Values.resources | nindent 10 }}
{{- end }}
volumes:
- name: runner
- name: tmp
emptyDir: {}
affinity:
{{- toYaml .Values.affinity | nindent 8 }}
Expand Down
5 changes: 5 additions & 0 deletions kiali-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,11 @@ allowSecurityContextOverride: false
# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
allowAllAccessibleNamespaces: true

# localAnsibleTmpPath is the path of the local Ansible temp directory. This sets the ANSIBLE_LOCAL_TEMP variable which
# in turn sets the DEFAULT_LOCAL_TMP configuration. An emptyDir is mounted to /tmp for the kiali-operator container.
# Ansible needs write access on this directory so modifying it might have implications if read-only root filesystem is enabled.
localAnsibleTmpPath: /tmp/ansible/tmp

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need this? Why would someone need to change this?

IMO, this should be fixed/hardcoded. I don't see a need for anyone to change this, and it just invites users to misconfigure something.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. I'll remove it from values.

# accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces.
# This value is either an empty string (which disables this feature) or a label name with an optional label value
# (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in
Expand Down
Loading