From d271315d78ad77d3a8d5808939b2c549b8931551 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Wed, 4 Oct 2023 11:27:06 +0200 Subject: [PATCH 01/20] This is a TRG docs addition as announced by the consortia security team. This commit introduces the read-only filesystem security topic as a new mandatory check for Tractus-X source code configuration. --- docs/release/trg-4/trg-4-07.md | 38 ++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 docs/release/trg-4/trg-4-07.md diff --git a/docs/release/trg-4/trg-4-07.md b/docs/release/trg-4/trg-4-07.md new file mode 100644 index 00000000000..b1199fda590 --- /dev/null +++ b/docs/release/trg-4/trg-4-07.md @@ -0,0 +1,38 @@ +--- +title: TRG 4.07 - Read-only filesystems +--- + +:::caution +Proposed release date: "mandatory after": 19th of May 2023 +::: + +| Status | Created | Post-History | +|------------|--------------|----------------------------------------| +| Draft | 03-Octo-2023 | Initial contribution | + +## Why + +A read-only root filesystem helps to limit the impact of a compromised container on a Kubernetes node. It is recommended to utilize read-only filesystems when possible. This prevents a malicious process or application from writing back to the host system. Read-only filesystems are a key component to preventing container breakout. + +## Description + +Whether this container has a read-only root filesystem. Default is false. + +### Implementation + +The container's **Pod resource file (yaml)** has to be modified to set rights to read-only. + +Mounts the container's root filesystem as read-only: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: read-only-fs +spec: + containers: + + securityContext: + #read-only fs explicitly defined + readOnlyRootFilesystem: true +``` \ No newline at end of file From f4d8d31c0b5b011a5dfb4701c1ef36ddcd6a40fe Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Wed, 4 Oct 2023 11:35:24 +0200 Subject: [PATCH 02/20] Update trg-4-07.md Added line at the end --- docs/release/trg-4/trg-4-07.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-4/trg-4-07.md b/docs/release/trg-4/trg-4-07.md index b1199fda590..afd5056f6b9 100644 --- a/docs/release/trg-4/trg-4-07.md +++ b/docs/release/trg-4/trg-4-07.md @@ -35,4 +35,4 @@ spec: securityContext: #read-only fs explicitly defined readOnlyRootFilesystem: true -``` \ No newline at end of file +``` From 72306f74c3e32b9b2d316e75eb2baac7fe5a7f30 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Thu, 5 Oct 2023 15:20:58 +0200 Subject: [PATCH 03/20] Update trg-4-07.md Added better description as suggested and added release guideline suggestions. --- docs/release/trg-4/trg-4-07.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/release/trg-4/trg-4-07.md b/docs/release/trg-4/trg-4-07.md index afd5056f6b9..33442541877 100644 --- a/docs/release/trg-4/trg-4-07.md +++ b/docs/release/trg-4/trg-4-07.md @@ -3,7 +3,7 @@ title: TRG 4.07 - Read-only filesystems --- :::caution -Proposed release date: "mandatory after": 19th of May 2023 +Proposed release date: "mandatory after": 01st of Nov 2023 ::: | Status | Created | Post-History | @@ -12,11 +12,15 @@ Proposed release date: "mandatory after": 19th of May 2023 ## Why -A read-only root filesystem helps to limit the impact of a compromised container on a Kubernetes node. It is recommended to utilize read-only filesystems when possible. This prevents a malicious process or application from writing back to the host system. Read-only filesystems are a key component to preventing container breakout. +The read-only root filesystem right can limit the impact of container compromise when set properly. +This can prevent malicous processes or applications from writing back to the host file system. +Such a setting can be an extra protection layer to prevent an attack. ## Description -Whether this container has a read-only root filesystem. Default is false. +The read-only filesystem configuration is defined in the deployment yaml. The security context parameters are assigned to the pod. +This ensures that unpriviledged access cannot be abused to install malicous software of write to the file system. This control is by default false. +Therefore it is to be considered for each deployment if the flag can be set to the recommended value "true". Only read in this case. ### Implementation @@ -33,6 +37,6 @@ spec: containers: securityContext: - #read-only fs explicitly defined + #read-only and prevent writing to the root file system readOnlyRootFilesystem: true ``` From 38af54157b4b55b94c4e73a283cfaf00f31f5dca Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Thu, 5 Oct 2023 15:28:13 +0200 Subject: [PATCH 04/20] Update trg-4-07.md Added trailing spaces --- docs/release/trg-4/trg-4-07.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/release/trg-4/trg-4-07.md b/docs/release/trg-4/trg-4-07.md index 33442541877..da831eee252 100644 --- a/docs/release/trg-4/trg-4-07.md +++ b/docs/release/trg-4/trg-4-07.md @@ -1,42 +1,43 @@ --- -title: TRG 4.07 - Read-only filesystems +title: TRG 4.07 - Read-only filesystems --- :::caution -Proposed release date: "mandatory after": 01st of Nov 2023 +Proposed release date: "mandatory after": 01st of Nov 2023 ::: | Status | Created | Post-History | |------------|--------------|----------------------------------------| | Draft | 03-Octo-2023 | Initial contribution | -## Why +## Why The read-only root filesystem right can limit the impact of container compromise when set properly. This can prevent malicous processes or applications from writing back to the host file system. Such a setting can be an extra protection layer to prevent an attack. -## Description +## Description The read-only filesystem configuration is defined in the deployment yaml. The security context parameters are assigned to the pod. This ensures that unpriviledged access cannot be abused to install malicous software of write to the file system. This control is by default false. Therefore it is to be considered for each deployment if the flag can be set to the recommended value "true". Only read in this case. -### Implementation +### Implementation The container's **Pod resource file (yaml)** has to be modified to set rights to read-only. Mounts the container's root filesystem as read-only: -```yaml +```yaml apiVersion: v1 kind: Pod metadata: - name: read-only-fs + name: read-only spec: containers: securityContext: #read-only and prevent writing to the root file system readOnlyRootFilesystem: true -``` +``` + From aafb990f0fcbf70241bb4c4362bc198a98ba86c8 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Thu, 5 Oct 2023 15:36:23 +0200 Subject: [PATCH 05/20] Update trg-4-07.md Removed spaces --- docs/release/trg-4/trg-4-07.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/release/trg-4/trg-4-07.md b/docs/release/trg-4/trg-4-07.md index da831eee252..f6629704ee2 100644 --- a/docs/release/trg-4/trg-4-07.md +++ b/docs/release/trg-4/trg-4-07.md @@ -10,25 +10,25 @@ Proposed release date: "mandatory after": 01st of Nov 2023 |------------|--------------|----------------------------------------| | Draft | 03-Octo-2023 | Initial contribution | -## Why +## Why -The read-only root filesystem right can limit the impact of container compromise when set properly. +The read-only root filesystem right can limit the impact of container compromise when set properly. This can prevent malicous processes or applications from writing back to the host file system. Such a setting can be an extra protection layer to prevent an attack. -## Description +## Description The read-only filesystem configuration is defined in the deployment yaml. The security context parameters are assigned to the pod. This ensures that unpriviledged access cannot be abused to install malicous software of write to the file system. This control is by default false. Therefore it is to be considered for each deployment if the flag can be set to the recommended value "true". Only read in this case. -### Implementation +### Implementation The container's **Pod resource file (yaml)** has to be modified to set rights to read-only. Mounts the container's root filesystem as read-only: -```yaml +```yaml apiVersion: v1 kind: Pod metadata: @@ -39,5 +39,4 @@ spec: securityContext: #read-only and prevent writing to the root file system readOnlyRootFilesystem: true -``` - +``` From 009b95f68ffa907410af6a7f2834cae6473bb317 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Thu, 5 Oct 2023 15:39:52 +0200 Subject: [PATCH 06/20] Update trg-4-07.md removed space --- docs/release/trg-4/trg-4-07.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-4/trg-4-07.md b/docs/release/trg-4/trg-4-07.md index f6629704ee2..5ab96627689 100644 --- a/docs/release/trg-4/trg-4-07.md +++ b/docs/release/trg-4/trg-4-07.md @@ -3,7 +3,7 @@ title: TRG 4.07 - Read-only filesystems --- :::caution -Proposed release date: "mandatory after": 01st of Nov 2023 +Proposed release date: "mandatory after": 01st of Nov 2023 ::: | Status | Created | Post-History | From ce4612755d0a664655497e9f0035cd68dc7b7fcc Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Fri, 6 Oct 2023 09:31:05 +0200 Subject: [PATCH 07/20] Update and rename trg-4-07.md to trg-4-7.md changed directory to trg 0 as requested --- docs/release/{trg-4/trg-4-07.md => trg-0/trg-4-7.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/release/{trg-4/trg-4-07.md => trg-0/trg-4-7.md} (100%) diff --git a/docs/release/trg-4/trg-4-07.md b/docs/release/trg-0/trg-4-7.md similarity index 100% rename from docs/release/trg-4/trg-4-07.md rename to docs/release/trg-0/trg-4-7.md From 507cb46a8f7f8762d663fcb4a0bfdc9dab11b8c3 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Fri, 6 Oct 2023 09:32:40 +0200 Subject: [PATCH 08/20] Update and rename trg-4-7.md to trg-4-07.md typo --- docs/release/trg-0/{trg-4-7.md => trg-4-07.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/release/trg-0/{trg-4-7.md => trg-4-07.md} (100%) diff --git a/docs/release/trg-0/trg-4-7.md b/docs/release/trg-0/trg-4-07.md similarity index 100% rename from docs/release/trg-0/trg-4-7.md rename to docs/release/trg-0/trg-4-07.md From 25ffc113d706b5e23675ebc081e0a113fc98f4dc Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Fri, 6 Oct 2023 10:12:51 +0200 Subject: [PATCH 09/20] Update trg-4-07.md typo --- docs/release/trg-0/trg-4-07.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 5ab96627689..fe04f86fbd2 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -3,7 +3,7 @@ title: TRG 4.07 - Read-only filesystems --- :::caution -Proposed release date: "mandatory after": 01st of Nov 2023 +Proposed release date: 01st of Nov 2023 ::: | Status | Created | Post-History | From 50b946ad057e5fed140d2360dce530cc307ce603 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 10 Oct 2023 13:55:41 +0200 Subject: [PATCH 10/20] Apply suggestions from code review Co-authored-by: Florian Rusch (ZF Friedrichshafen AG) --- docs/release/trg-0/trg-4-07.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index fe04f86fbd2..46c7cadcbad 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -29,14 +29,14 @@ The container's **Pod resource file (yaml)** has to be modified to set rights to Mounts the container's root filesystem as read-only: ```yaml -apiVersion: v1 -kind: Pod -metadata: +apiVersion: v1 +kind: Pod +metadata: name: read-only -spec: - containers: - - securityContext: - #read-only and prevent writing to the root file system +spec: + containers: + ... + securityContext: + # read-only and prevent writing to the root file system readOnlyRootFilesystem: true ``` From 543c511bdfa1e52474205d552342611c7a345441 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 10 Oct 2023 13:59:21 +0200 Subject: [PATCH 11/20] Update trg-4-07.md added tmp mount insturctions by CJung --- docs/release/trg-0/trg-4-07.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 46c7cadcbad..93f25d2754f 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -40,3 +40,22 @@ spec: # read-only and prevent writing to the root file system readOnlyRootFilesystem: true ``` + +###Temporary Folders (If needed) + +In the case that an executable in your container should need a temporary folder for logging or spooling purposes, you can mount a writable emptydir volume as follows: + +apiVersion: v1 +kind: Pod +metadata: + name: temporary-folder +spec: + containers: + - name: sample-container-which-needs-temporary-folder + volumeMounts: + - name: tempfolder + mountPath: /tmp + readOnly: false + volumes: + - name: tempfolder + emptyDir: {} From b4f293245246a2cf84d6e0fd63c3be801e46b603 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 10 Oct 2023 14:00:03 +0200 Subject: [PATCH 12/20] Update trg-4-07.md yaml edit --- docs/release/trg-0/trg-4-07.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 93f25d2754f..8980296ebb2 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -45,6 +45,7 @@ spec: In the case that an executable in your container should need a temporary folder for logging or spooling purposes, you can mount a writable emptydir volume as follows: +```yaml apiVersion: v1 kind: Pod metadata: @@ -59,3 +60,4 @@ spec: volumes: - name: tempfolder emptyDir: {} +``` From f6125e227dbd5355f5855edb081366efd1f35af8 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 10 Oct 2023 14:00:38 +0200 Subject: [PATCH 13/20] Update trg-4-07.md typo --- docs/release/trg-0/trg-4-07.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 8980296ebb2..fe68aea71a6 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -41,7 +41,7 @@ spec: readOnlyRootFilesystem: true ``` -###Temporary Folders (If needed) +### Temporary Folders (If needed) In the case that an executable in your container should need a temporary folder for logging or spooling purposes, you can mount a writable emptydir volume as follows: From 62b9dc23e2fc9d3c8929009748382bec024fda6b Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 10 Oct 2023 14:12:21 +0200 Subject: [PATCH 14/20] Update trg-4-07.md fixes --- docs/release/trg-0/trg-4-07.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index fe68aea71a6..371aa74554a 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -36,13 +36,14 @@ metadata: spec: containers: ... - securityContext: - # read-only and prevent writing to the root file system - readOnlyRootFilesystem: true + securityContext: + # read-only and prevent writing to the root file system + readOnlyRootFilesystem: true ``` ### Temporary Folders (If needed) +A temporary filesystem (tmpfs) works similiar like a regular volume. Everything written to this filesystem will is removed when the container gets terminated. In the case that an executable in your container should need a temporary folder for logging or spooling purposes, you can mount a writable emptydir volume as follows: ```yaml @@ -52,12 +53,15 @@ metadata: name: temporary-folder spec: containers: - - name: sample-container-which-needs-temporary-folder + - name: sample-container-which-needs-temporary-folder + image: your-image + securityContext: + readOnlyRootFilesystem: true volumeMounts: - name: tempfolder mountPath: /tmp readOnly: false - volumes: - - name: tempfolder - emptyDir: {} + volumes: + - name: tempfolder + emptyDir: {} ``` From 6b92bad61bd21db91ead7206582cdf84df416126 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 10 Oct 2023 14:30:17 +0200 Subject: [PATCH 15/20] Update trg-4-07.md Added implementation samples by Florian --- docs/release/trg-0/trg-4-07.md | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 371aa74554a..557641c5a47 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -36,10 +36,36 @@ metadata: spec: containers: ... - securityContext: - # read-only and prevent writing to the root file system - readOnlyRootFilesystem: true + # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod + securityContext: + capabilities: + # -- Specifies which capabilities to drop to reduce syscall attack surface + drop: + - ALL + # -- Specifies which capabilities to add to issue specialized syscalls + add: [] + # -- Whether the root filesystem is mounted in read-only mode + readOnlyRootFilesystem: true + # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID + allowPrivilegeEscalation: false + # -- Requires the container to run without root privileges + runAsNonRoot: true + # -- The container's process will run with the specified uid + runAsUser: 10001 ``` +Checkout these great Tractus-X template examples. + +K8s Deployment: + +https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L54-L55 + +https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L81-L82 + +Values.yaml: + +https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L145-L155 + +https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L156-L171 ### Temporary Folders (If needed) From b22bec9c3cf7d8b89f1d2bf22cac8fa231c9779c Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 10 Oct 2023 14:37:00 +0200 Subject: [PATCH 16/20] Update trg-4-07.md fixed urls --- docs/release/trg-0/trg-4-07.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 557641c5a47..112e77fd95b 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -53,19 +53,20 @@ spec: # -- The container's process will run with the specified uid runAsUser: 10001 ``` + Checkout these great Tractus-X template examples. K8s Deployment: -https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L54-L55 +[EDC Security Context 1](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L54-L55) -https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L81-L82 +[EDC Security Context 2](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/templates/deployment-controlplane.yaml#L81-L82) Values.yaml: -https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L145-L155 +[EDC Security Context 3](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L145-L155) -https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L156-L171 +[EDC Security Context 4](https://github.com/eclipse-tractusx/tractusx-edc/blob/112fc6e86202ce6a64a88142899a425abfbfd364/charts/tractusx-connector/values.yaml#L156-L171) ### Temporary Folders (If needed) From 9ca3b40c6aff642b155e8740b4168996e0e73a3b Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Wed, 11 Oct 2023 08:39:00 +0200 Subject: [PATCH 17/20] Update docs/release/trg-0/trg-4-07.md Co-authored-by: Florian Rusch (ZF Friedrichshafen AG) --- docs/release/trg-0/trg-4-07.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 112e77fd95b..234076eed8f 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -85,9 +85,9 @@ spec: securityContext: readOnlyRootFilesystem: true volumeMounts: - - name: tempfolder - mountPath: /tmp - readOnly: false + - name: tempfolder + mountPath: /tmp + readOnly: false volumes: - name: tempfolder emptyDir: {} From 8126f09480660477d5c5401ac14bf3c501c11f1c Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Tue, 17 Oct 2023 15:58:24 +0200 Subject: [PATCH 18/20] Update docs/release/trg-0/trg-4-07.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Gábor Almádi <47537664+almadigabor@users.noreply.github.com> --- docs/release/trg-0/trg-4-07.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 234076eed8f..79503e40932 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -70,7 +70,7 @@ Values.yaml: ### Temporary Folders (If needed) -A temporary filesystem (tmpfs) works similiar like a regular volume. Everything written to this filesystem will is removed when the container gets terminated. +A temporary filesystem (tmpfs) works similiar like a regular volume. Everything written to this filesystem will be removed when the container gets terminated. In the case that an executable in your container should need a temporary folder for logging or spooling purposes, you can mount a writable emptydir volume as follows: ```yaml From 5108f97f14c225dd5d7fc0cd20cae699e27ab338 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Thu, 9 Nov 2023 09:38:23 +0100 Subject: [PATCH 19/20] Update trg-4-07.md Added fixes to overwrite tmp --- docs/release/trg-0/trg-4-07.md | 37 ++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 79503e40932..7297522669c 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -9,6 +9,7 @@ Proposed release date: 01st of Nov 2023 | Status | Created | Post-History | |------------|--------------|----------------------------------------| | Draft | 03-Octo-2023 | Initial contribution | +| Draft | 11-Nove-2023 | Added fixes to overwrite tmp | ## Why @@ -53,6 +54,42 @@ spec: # -- The container's process will run with the specified uid runAsUser: 10001 ``` +In some cases you might encounter the issue that tmp cannot be overwritten: +```log +[emerg] 1#1: mkdir() "/tmp/proxy_temp" failed (30: Read-only file system) +nginx: [emerg] mkdir() "/tmp/proxy_temp" failed (30: Read-only file system) +``` +To fix this you need to make tmp writeable and mount /tmp to emptyDir. + +```yaml + spec: + securityContext: + runAsUser: 999 + containers: + - image: nginxinc/nginx-unprivileged:latest + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 8080 //ONLY open ports that are necessary to run + protocol: TCP + securityContext: + capabilities: + drop: + - NET_RAW //ONLY required if your containers have NET_RAW capability + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + resources: //Set proper limits for your container + . + . + . + volumeMounts: + - mountPath: /tmp + name: tmp + volumes: + - emptyDir: {} + name: tmp +``` Checkout these great Tractus-X template examples. From e3ec29852266dc6f9ac1544a6bb637f463ed3b75 Mon Sep 17 00:00:00 2001 From: SSIRKC <115729451+SSIRKC@users.noreply.github.com> Date: Thu, 9 Nov 2023 09:46:19 +0100 Subject: [PATCH 20/20] Update trg-4-07.md added blanks --- docs/release/trg-0/trg-4-07.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/release/trg-0/trg-4-07.md b/docs/release/trg-0/trg-4-07.md index 7297522669c..8e405a71a74 100644 --- a/docs/release/trg-0/trg-4-07.md +++ b/docs/release/trg-0/trg-4-07.md @@ -54,11 +54,14 @@ spec: # -- The container's process will run with the specified uid runAsUser: 10001 ``` + In some cases you might encounter the issue that tmp cannot be overwritten: + ```log [emerg] 1#1: mkdir() "/tmp/proxy_temp" failed (30: Read-only file system) nginx: [emerg] mkdir() "/tmp/proxy_temp" failed (30: Read-only file system) ``` + To fix this you need to make tmp writeable and mount /tmp to emptyDir. ```yaml