8000 feat: enable readOnlyRootFilesystem and add required writable mounts by ab-ghosh · Pull Request #1067 · tektoncd/results · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat: enable readOnlyRootFilesystem and add required writable mounts #1067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: enable readOnlyRootFilesystem and add required writable mounts #1067

wants to merge 1 commit into from
+16 −2

Conversation

ab-ghosh
Copy link
Contributor

Changes

This PR enables readOnlyRootFilesystem in the PostgreSQL container for enhanced security. To support this change, writable emptyDir volume mounts are added for directories that require write access during container startup and runtime.

  • Enabled readOnlyRootFilesystem: true under container securityContext.
  • Added emptyDir volumes and corresponding volumeMounts for:
    • /tmp – general temporary file usage
    • /opt/bitnami/postgresql/conf – for dynamic config file generation (pg_hba.conf, postgresql.conf)
    • /opt/bitnami/postgresql/tmp – for internal init tracking (.initialized)

closes: #1062

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you review them:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Tested your changes locally (if this is a code change)
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user-facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contain the string "action required" if the change requires additional action from users switching to the new release

Release Notes

@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 14, 2025
@tekton-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign dibyom after the PR has been reviewed.
You can assign the PR to them by writing /assign @dibyom in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 14, 2025
@tekton-robot
Copy link

Hi @ab-ghosh. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ab-ghosh
Copy link
Contributor Author

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 14, 2025
@ab-ghosh
Copy link
Contributor Author

/cc @khrm

@tekton-robot tekton-robot requested a review from khrm July 14, 2025 10:30
khrm
khrm reviewed Jul 14, 2025
View reviewed changes
Copy link
Contributor
@khrm khrm left a comment 8000

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 14, 2025
@khrm khrm requested a review from Copilot July 14, 2025 10:58
Copilot
Copilot AI reviewed Jul 14, 2025
View reviewed changes
Copy link
@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the security of the PostgreSQL container by enabling read-only root filesystem while maintaining proper functionality through writable volume mounts. The changes ensure that the container can only write to explicitly defined directories, reducing the attack surface.

  • Enabled readOnlyRootFilesystem: true in the PostgreSQL container security context
  • Added three emptyDir volumes for directories requiring write access during runtime
  • Configured corresponding volume mounts for temporary files, configuration, and initialization tracking

@khrm
Copy link
Contributor
khrm commented Jul 14, 2025

/kind security

@tekton-robot tekton-robot added the kind/security Categorizes issue or PR as related to a security issue label Jul 14, 2025
@khrm khrm removed the kind/feature Categorizes issue or PR as related to a new feature. label Jul 14, 2025
@ab-ghosh
feat: enable readOnlyRootFilesystem and add required writable mounts
588b334 
Signed-off-by: Abhishek Ghosh <abhi.ghosh3108@gmail.com>

Added comments to distinguish between ephemeral and persistent volumes

Signed-off-by: Abhishek Ghosh <abhi.ghosh3108@gmail.com>
@ab-ghosh ab-ghosh force-pushed the feature/readOnlyRootFilesystem branch from 99c19a4 to 588b334 Compare July 14, 2025 11:34
@ab-ghosh ab-ghosh requested a review from khrm July 16, 2025 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@alan-ghelardi alan-ghelardi Awaiting requested review from alan-ghelardi

@dibyom dibyom Awaiting requested review from dibyom

@khrm khrm Awaiting requested review from khrm

Assignees
No one assigned
Labels
kind/security Categorizes issue or PR as related to a security issue ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set readOnlyRootFilesystem as true for Postgres image
3 participants
@ab-ghosh @tekton-robot @khrm
0