Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support readOnlyRootFilesystem=true in KEDA metric adapter #3292

Closed
joebowbeer opened this issue Jun 27, 2022 · 4 comments
Closed

Support readOnlyRootFilesystem=true in KEDA metric adapter #3292

joebowbeer opened this issue Jun 27, 2022 · 4 comments
Labels
feature-request All issues for new features that have not been committed to needs-discussion

Comments

@joebowbeer
Copy link
Contributor

joebowbeer commented Jun 27, 2022
edited
Loading

Proposal

Configure keda-metrics-apiserver to run with readOnlyRootFilesystem=true, or at least document how to configure this.

See suggested solution in discussion #2880

Relates to #2938 which omitted this setting from keda-metrics-apiserver

Use-Case

Enable KEDA to pass security audit.

While readOnlyRootFilesystem=true is not required by PSS/restricted, it is a recommended security best practice and may be required by other policies.

Anything else?

No response
@joebowbeer joebowbeer added feature-request All issues for new features that have not been committed to needs-discussion labels Jun 27, 2022
@tomkerkhove tomkerkhove moved this to Proposed in Roadmap - KEDA Core Jun 27, 2022
@tomkerkhove tomkerkhove moved this from Proposed to To Do in Roadmap - KEDA Core Jul 11, 2022
@tomkerkhove
Copy link
Member

I will let @zroubalik determine if we want to do this, because from what I'm seeing on #2880 this is something that the end-user has to do and we should provide better docs on.

We cannot run KEDA with full readOnlyRootFilesytem as far as I know.

@tomkerkhove tomkerkhove changed the title Support readOnlyRootFilesystem=true in keda-metrics-apiserver Support readOnlyRootFilesystem=true in KEDA metric adapter Jul 11, 2022
@joebowbeer
Copy link
Contributor Author

joebowbeer commented Jul 19, 2022
edited
Loading

@tomkerkhove in #2880 @zroubalik asked for someone to create a doc PR.

IIUC, @ygnr was able to accomplish this by setting mountPath to /apiserver.local.config/certificates/

--set volumes.metricsApiServer.extraVolumes[0].name=keda-volume
--set volumes.metricsApiServer.extraVolumeMounts[0].name=keda-volume
--set volumes.metricsApiServer.extraVolumeMounts[0].mountPath=/apiserver.local.config/certificates/

and then setting readOnlyRootFilesystem to true in the securityContext of metricServer

@zroubalik
Copy link
Member

zroubalik commented Jul 20, 2022
edited
Loading

Yeah, it is partly covered in FAQ: https://keda.sh/docs/2.7/faq/

Though we can definitely improve it, @joebowbeer mind opening a RP on https://github.com/kedacore/keda-docs with changes that would make it more clear to you?

@joebowbeer joebowbeer mentioned this issue Jul 21, 2022
Merged
1 task
@joebowbeer
Copy link
Contributor Author

Created PR kedacore/keda-docs#830 to improve FAQ answer

Repository owner moved this from To Do to Ready To Ship in Roadmap - KEDA Core Jul 21, 2022
@tomkerkhove tomkerkhove moved this from Ready To Ship to Done in Roadmap - KEDA Core Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request All issues for new features that have not been committed to needs-discussion
Projects
Roadmap - KEDA Core
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joebowbeer @zroubalik @tomkerkhove