Skip to content

✨ set readOnlyRootFilesystem: true for workloads #2018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 7, 2025
Merged

✨ set readOnlyRootFilesystem: true for workloads #2018

merged 1 commit into from
Jun 7, 2025

Conversation

joelanford
Copy link
Member

Description

This makes our containers' root filesystems read-only, which improves security by preventing writes to the container’s base image filesystem.

It adds /tmp as an emptyDir volume so that our app can continue writing temporary files as needed.

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@joelanford joelanford requested a review from a team as a code owner June 6, 2025 19:19
@netlify Netlify
Copy link

netlify bot commented Jun 6, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 1d37c1f
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/6843829b1cb5600008111cf3
😎 Deploy Preview https://deploy-preview-2018--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@joelanford joelanford changed the title ✨ set readOnlyRootFilesystem: true for workloads ✨ set readOnlyRootFilesystem: true for workloads Jun 6, 2025
@codecov Codecov
Copy link

codecov bot commented Jun 6, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.20%. Comparing base (061b107) to head (1d37c1f).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2018      +/-   ##
==========================================
+ Coverage   69.17%   69.20%   +0.02%     
==========================================
  Files          79       79              
  Lines        7037     7037              
==========================================
+ Hits         4868     4870       +2     
+ Misses       1887     1886       -1     
+ Partials      282      281       -1
Flag Coverage Δ
e2e 43.11% <ø> (+0.11%) ⬆️
unit 60.03% <ø> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@grokspawn
Copy link
Contributor

tilt shows crashlooping op-con and cat-d pods.

@joelanford
set readOnlyRootFilesystem: true for workloads
1d37c1f 
Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
@joelanford joelanford force-pushed the read-only-root-fs branch from 52cee8d to 1d37c1f Compare June 7, 2025 00:06
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 7, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grokspawn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 7, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 44de6f2 into operator-framework:main Jun 7, 2025
22 checks passed
@joelanford joelanford deleted the read-only-root-fs branch June 9, 2025 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grokspawn grokspawn grokspawn approved these changes

@camilamacedo86 camilamacedo86 Awaiting requested review from camilamacedo86

@kevinrizza kevinrizza Awaiting requested review from kevinrizza

Assignees

@grokspawn grokspawn

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joelanford @grokspawn