Skip to content

Add new feature flag to set readOnlyRootFilesystem for pipelinerun, taskrun and Affinity assistants containers  #8183

New issue
New issue
Closed
Closed
Add new feature flag to set readOnlyRootFilesystem for pipelinerun, taskrun and Affinity assistants containers #8183
Assignees
kristofferchr
Labels
kind/featureCategorizes issue or PR as related to a new feature.
@kristofferchr

Description

@kristofferchr
kristofferchr
opened on Aug 6, 2024

Feature request

Add a flag to enable setting the readOnlyRootFilesystem field in the securityContext for containers used in pipelinerun and taskrun.

Use case

Containers for taskrun and pipelinerun should follow security best practices by setting the readOnlyRootFilesystem field. This practice, recommended by platforms like Azure Kubernetes Service (AKS), enhances container security.

Implementation:

Introduce feature flag set-security-context-read-only-root-filesystem in ConfigMap feature-flags that sets readOnlyRootFilesystem field for all initcontainers and affinity assistant. This should only be applied when feature set-security-context is enabled.

Metadata

Metadata

Assignees

Labels

kind/featureCategorizes issue or PR as related to a new feature.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions