Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount path /tmp as emptyDir volume #3150

Closed
3 tasks done
ggogel opened this issue Dec 17, 2024 · 7 comments · Fixed by #3218
Closed
3 tasks done

Mount path /tmp as emptyDir volume #3150

ggogel opened this issue Dec 17, 2024 · 7 comments · Fixed by #3218
Assignees
@ggogel
Labels
area/charts good first issue Good issue for a new contributor to handle help-wanted Community help on this would be appreciated kind/enhancement priority/normal
Milestone
v1.2.0

Comments

@ggogel
Copy link
Contributor

ggogel commented Dec 17, 2024

Checklist

  • I've searched the issue queue to verify this is not a duplicate feature request.
  • I've pasted the output of kargo version, if applicable.
  • I've pasted logs, if applicable.

Proposed Feature

The path /tmp is used in the promotion step git clone to save the cloned git repository. Currently, this path is part of the container's root filesystem. I'm proposing to mount an ephemeral emptyDir volume to this path.

Motivation

We are about to roll out Kargo to our production stage. One of the compliance requirements is to enable the securityContext readOnlyRootFilesystem. This protects the root filesystem of the container from being changed during runtime and therefore increases security. When we enable this, the promotion step git clone fails with the following error:

image

Suggested Implementation

I see two possible implementation options in the Kargo Helm Chart:

  1. Allow to mount volumes to any of the containers. Currently, it is only possible to mount volumes to the dex container.
  2. Mount an emptyDir volume in the path /tmp to the container by default.
@krancour
Copy link
Member

I've been thinking about this for a while as well, albeit for different reasons.

emptyDir seems safe and easy.

Mounting any other sort of volume introduces security implications that I'd rather not grapple with at this point in time.

@krancour krancour added needs/area good first issue Good issue for a new contributor to handle help-wanted Community help on this would be appreciated and removed needs/priority needs/area labels Dec 17, 2024
@SD-13
Copy link

SD-13 commented Dec 18, 2024

@krancour @ggogel, this issue looks doable. Can I work on this?

@krancour
Copy link
Member

@SD-13 it's yours.

@RohanMishra315
Copy link
Contributor

Hey @SD-13 you workin' on this, if not could i take it ?

@SD-13
Copy link

SD-13 commented Dec 24, 2024
edited
Loading

@RohanMishra315 , I am working on it. Please pick some other issues

@ggogel ggogel mentioned this issue Jan 6, 2025
Merged
@ggogel
Copy link
Contributor Author

ggogel commented Jan 6, 2025
edited
Loading

I already implemented the change but went on a holiday break. Today I had time to test it in our environment and it works. I created the PR #3218.

@SD-13 I know that you already claimed this issue but three weeks have passed and we need this feature.

@SD-13
Copy link

SD-13 commented Jan 6, 2025

@ggogel, No problem!

@SD-13 SD-13 removed their assignment Jan 6, 2025
@krancour krancour assigned krancour and ggogel and unassigned krancour Jan 6, 2025
@krancour krancour added this to the v1.2.0 milestone Jan 6, 2025
@ggogel ggogel mentioned this issue Jan 17, 2025
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ggogel ggogel

Labels
area/charts good first issue Good issue for a new contributor to handle help-wanted Community help on this would be appreciated kind/enhancement priority/normal
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging a pull request may close this issue.

feat: Mount path /tmp as emptyDir volume ggogel/kargo
4 participants
@krancour @ggogel @SD-13 @RohanMishra315