Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount path /tmp as emptyDir volume #3150

Open
3 tasks done
ggogel opened this issue Dec 17, 2024 · 5 comments
Open
3 tasks done

Mount path /tmp as emptyDir volume #3150

ggogel opened this issue Dec 17, 2024 · 5 comments
Assignees
@SD-13
Labels
area/charts good first issue Good issue for a new contributor to handle help-wanted Community help on this would be appreciated kind/enhancement priority/normal

Comments

@ggogel
Copy link

ggogel commented Dec 17, 2024

Checklist

  • I've searched the issue queue to verify this is not a duplicate feature request.
  • I've pasted the output of kargo version, if applicable.
  • I've pasted logs, if applicable.

Proposed Feature

The path /tmp is used in the promotion step git clone to save the cloned git repository. Currently, this path is part of the container's root filesystem. I'm proposing to mount an ephemeral emptyDir volume to this path.

Motivation

We are about to roll out Kargo to our production stage. One of the compliance requirements is to enable the securityContext readOnlyRootFilesystem. This protects the root filesystem of the container from being changed during runtime and therefore increases security. When we enable this, the promotion step git clone fails with the following error:

image

Suggested Implementation

I see two possible implementation options in the Kargo Helm Chart:

  1. Allow to mount volumes to any of the containers. Currently, it is only possible to mount volumes to the dex container.
  2. Mount an emptyDir volume in the path /tmp to the container by default.
@krancour
Copy link
Member

I've been thinking about this for a while as well, albeit for different reasons.

emptyDir seems safe and easy.

Mounting any other sort of volume introduces security implications that I'd rather not grapple with at this point in time.

@krancour krancour added needs/area good first issue Good issue for a new contributor to handle help-wanted Community help on this would be appreciated and removed needs/priority needs/area labels Dec 17, 2024
@SD-13
Copy link

SD-13 commented Dec 18, 2024

@krancour @ggogel, this issue looks doable. Can I work on this?

@krancour
Copy link
Member

@SD-13 it's yours.

@RohanMishra315
Copy link

Hey @SD-13 you workin' on this, if not could i take it ?

@SD-13
Copy link

SD-13 commented Dec 24, 2024
edited
Loading

@RohanMishra315 , I am working on it. Please pick some other issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SD-13 SD-13

Labels
area/charts good first issue Good issue for a new contributor to handle help-wanted Community help on this would be appreciated kind/enhancement priority/normal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@krancour @ggogel @SD-13 @RohanMishra315