Add support for read-only root filesystem and enable by default (#235)

* Change /tmp/ansible-operator/runner volume mount path to just /tmp so other services may write to ephemeral volume * mount emptyDir to ansible tmp directory * remove opt mount and create env variable for ANSIBlE_LOCAL_TEMP * Update localAnsibleTmpPath default value to /tmp/ansible/tmp for better organization * read-only filesystem enabled by default * hardcode ANSIBLE_LOCAL_TEMP to prevent changes * move ANSIBLE_LOCAL_TEMP down with other ansible env vars * add ANSIBLE_REMOTE_TEMP env var
kiali · Nov 30, 2023 · a0b4df2 · a0b4df2
1 parent f995a1d
commit a0b4df2
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml
@@ -61,13 +61,14 @@ spec:
           allowPrivilegeEscalation: false
           privileged: false
           runAsNonRoot: true
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - ALL
         {{- end }}
         volumeMounts:
-        - mountPath: /tmp/ansible-operator/runner
-          name: runner
+        - mountPath: /tmp
+          name: tmp
         env:
         - name: WATCH_NAMESPACE
           value: {{ .Values.watchNamespace | default "\"\""  }}
@@ -109,6 +110,10 @@ spec:
         {{- else }}
           value: "/etc/ansible/ansible.cfg"
         {{- end }}
+        - name: ANSIBLE_LOCAL_TEMP
+          value: "/tmp/ansible/tmp"
+        - name: ANSIBLE_REMOTE_TEMP
+          value: "/tmp/ansible/tmp"
         {{- if .Values.env }}
         {{- toYaml .Values.env | nindent 8 }}
         {{- end }}
@@ -120,7 +125,7 @@ spec:
         {{- toYaml .Values.resources | nindent 10 }}
         {{- end }}
       volumes:
-      - name: runner
+      - name: tmp
         emptyDir: {}
       affinity:
       {{- toYaml .Values.affinity | nindent 8 }}