Bug 2274499

Summary: Not all csi-addons containers run with read-only filesystem
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Niels de Vos <ndevos>
Component: csi-addonsAssignee: Niels de Vos <ndevos>
Status: CLOSED ERRATA QA Contact: Filip Balák <fbalak>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.14CC: asriram, etamir, fbalak, kbg, muagarwa, nberry, odf-bz-bot, sheggodu
Target Milestone: ---Keywords: Security
Target Release: ODF 4.14.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.14.9-2 Doc Type: Bug Fix
Doc Text:
Previously, the security scanners or checkers reported that the `csi-addons-controller-manager` pod does not have "readOnlyRootFilesystem" option enabled as the pod does not have this option enabled explicitly. With this fix, in the deployment of the `csi-addons-controller-manager` pod, "readOnlyRootFilesystem" is set to `true`. As a result, the security scanners or checkers no longer report the missing "readOnlyRootFilesystem" option for csi-addons-controller-manager.
 Story Points: ---
Clone Of: 2268065 Environment:
Last Closed: 2024-07-02 11:02:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2268065    
Bug Blocks:    

Description Niels de Vos 2024-04-11 11:52:22 UTC 
+++ This bug was initially created as a clone of Bug #2268065 +++

Description of problem (please be detailed as possible and provide log
snippests):

A security scanner reports:

only read-only root filesystem container is allowed: kube-rbac-proxy
only read-only root filesystem container is allowed: manager


Version of all relevant components (if applicable):

All

--- Additional comment from Niels de Vos on 2024-03-06 10:02:18 CET ---

Security can be enhanced by setting "readOnlyRootFilesystem: true" for all containers that are part of the csi-addons-controller-manager deployment.

--- Additional comment from Mudit Agarwal on 2024-04-09 04:32:18 CEST ---

is it possible to backport this to 4.14 also?

--- Additional comment from Niels de Vos on 2024-04-11 13:37:42 CEST ---

(In reply to Mudit Agarwal from comment #6)
> is it possible to backport this to 4.14 also?

Yes, if that is wanted. A new csi-addons bundle will need to be provided as that contains the CSV with the change.
Comment 4 Sunil Kumar Acharya 2024-06-12 13:31:59 UTC 
Please backport the fix to ODF-4.14 and update the RDT flag/text appropriately.
Comment 13 errata-xmlrpc 2024-07-02 11:02:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Data Foundation 4.14.9 Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:4217