2274499 – Not all csi-addons containers run with read-only filesystem

Bug 2274499 - Not all csi-addons containers run with read-only filesystem

Summary: Not all csi-addons containers run with read-only filesystem

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	csi-addons
Sub Component:
Version:	4.14
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	ODF 4.14.9
Assignee:	Niels de Vos
QA Contact:	Filip Balák
Docs Contact:
URL:
Whiteboard:
Depends On:	2268065
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-11 11:52 UTC by Niels de Vos
Modified:	2024-07-02 11:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:	4.14.9-2
Doc Type:	Bug Fix
Doc Text:	Previously, the security scanners or checkers reported that the `csi-addons-controller-manager` pod does not have "readOnlyRootFilesystem" option enabled as the pod does not have this option enabled explicitly. With this fix, in the deployment of the `csi-addons-controller-manager` pod, "readOnlyRootFilesystem" is set to `true`. As a result, the security scanners or checkers no longer report the missing "readOnlyRootFilesystem" option for csi-addons-controller-manager.
Clone Of:	2268065
Environment:
Last Closed:	2024-07-02 11:02:21 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	red-hat-storage kubernetes-csi-addons pull 134	0	None	Merged	BUG 2274499: deploy: run all containers with read-only filesystem	2024-06-14 08:08:19 UTC
Red Hat Product Errata	RHBA-2024:4217	0	None	None	None	2024-07-02 11:02:25 UTC

Description Niels de Vos 2024-04-11 11:52:22 UTC

+++ This bug was initially created as a clone of Bug #2268065 +++

Description of problem (please be detailed as possible and provide log
snippests):

A security scanner reports:

only read-only root filesystem container is allowed: kube-rbac-proxy
only read-only root filesystem container is allowed: manager


Version of all relevant components (if applicable):

All

--- Additional comment from Niels de Vos on 2024-03-06 10:02:18 CET ---

Security can be enhanced by setting "readOnlyRootFilesystem: true" for all containers that are part of the csi-addons-controller-manager deployment.

--- Additional comment from Mudit Agarwal on 2024-04-09 04:32:18 CEST ---

is it possible to backport this to 4.14 also?

--- Additional comment from Niels de Vos on 2024-04-11 13:37:42 CEST ---

(In reply to Mudit Agarwal from comment #6)
> is it possible to backport this to 4.14 also?

Yes, if that is wanted. A new csi-addons bundle will need to be provided as that contains the CSV with the change.

Comment 4 Sunil Kumar Acharya 2024-06-12 13:31:59 UTC

Please backport the fix to ODF-4.14 and update the RDT flag/text appropriately.

Comment 13 errata-xmlrpc 2024-07-02 11:02:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Data Foundation 4.14.9 Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:4217

Note You need to log in before you can comment on or make changes to this bug.