helm: Improve support for readOnlyRootFilesystem in with emptyDr on /tmp#5079
Open
YotamKorah wants to merge 4 commits intokubernetes-sigs:mainfrom
Open
helm: Improve support for readOnlyRootFilesystem in with emptyDr on /tmp#5079YotamKorah wants to merge 4 commits intokubernetes-sigs:mainfrom
YotamKorah wants to merge 4 commits intokubernetes-sigs:mainfrom
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: YotamKorah The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/M
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
Contributor
|
Thanks for this. Would you mind adjusting the the commit messages to follow our git commit guidelines?
|
Contributor
There was a problem hiding this comment.
Pull request overview
Improves the Helm chart’s ability to run Headlamp with a read-only root filesystem by conditionally adding writable emptyDir mounts (notably for /tmp) when readOnlyRootFilesystem is enabled.
Changes:
- Added a Helm helper (
headlamp.readOnlyRootFilesystem) to detect whether read-only root filesystem is enabled via values. - Updated the Deployment template to conditionally add
/tmpvolume mounts and correspondingemptyDirvolumes (including for the plugins-manager sidecar). - Updated Helm chart expected test output for the security-context scenario.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| charts/headlamp/templates/_helpers.tpl | Introduces helper to detect readOnlyRootFilesystem enablement. |
| charts/headlamp/templates/deployment.yaml | Conditionally adds /tmp mounts/volumes when read-only root is enabled. |
| charts/headlamp/tests/expected_templates/security-context.yaml | Updates expected rendered manifests to include the new volumes/mounts. |
Comments suppressed due to low confidence (1)
charts/headlamp/templates/deployment.yaml:352
- With
readOnlyRootFilesystemenabled, this change only mounts anemptyDirat/tmp. The chart still passes-plugins-dir={{ .Values.config.pluginsDir }}(default/headlamp/plugins), but that path is only mounted whenpluginsManager.enabledis true. For the default case (pluginsManager disabled), Headlamp will likely still try to create/use the plugins dir on a read-only root filesystem and fail. Consider also mounting a writable volume at.Values.config.pluginsDirwhen readOnlyRootFilesystem is enabled.
{{- if or .Values.pluginsManager.enabled .Values.volumeMounts (eq (include "headlamp.readOnlyRootFilesystem" .) "true") }}
volumeMounts:
{{- if .Values.pluginsManager.enabled }}
- name: plugins-dir
mountPath: {{ .Values.config.pluginsDir }}
Contributor
|
For anyone else wondering what is emptyDir? |
k8s-ci-robot
added
cncf-cla: no
k8s-ci-robot
added
the
do-not-merge/work-in-progress
YotamKorah
force-pushed
the
fix/ro-filesystem-tmp
branch
2 times, most recently
from
9d6fc0b to
1c01212
Compare
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
k8s-ci-robot
added
do-not-merge/work-in-progress
YotamKorah
force-pushed
the
fix/ro-filesystem-tmp
branch
from
18203af to
279d5aa
Compare
…/tmp Adds a writable /tmp emptyDir volume mount to containers configured with readOnlyRootFilesystem: true. The plugin manager inherits the main container's securityContext when its own is not set, so the detection logic mirrors the template's fallback behavior. Signed-off-by: Yotam Korah <git@korah.biz>
YotamKorah
force-pushed
the
fix/ro-filesystem-tmp
branch
from
38a6ff4 to
87fd6fa
Compare
k8s-ci-robot
added
size/XL
Extract collision-detection logic into a headlamp.tmpVolumeContext helper that checks for an existing /tmp volumeMount or same-named volume before auto-adding the emptyDir. deployment.yaml calls the helper once per container and uses the returned addMount/addVolume booleans throughout, eliminating the scattered per-variable checks. Adds a test case covering readOnlyRootFilesystem: true with a user-supplied /tmp mount to ensure no duplicate entries are rendered. Signed-off-by: Yotam Korah <git@korah.biz>
Extract collision detection into a headlamp.tmpVolumeContext helper
that returns addMount/addVolume independently:
- addMount is suppressed when the user already has a /tmp volumeMount
- addVolume is suppressed when the user already has a /tmp mount
(avoids orphaned volumes) or a volume with the same name
(allows users to bring their own headlamp-tmp with custom emptyDir
settings such as sizeLimit)
deployment.yaml calls the helper once per container and uses the
returned booleans throughout, replacing scattered per-variable checks.
Adds two test cases:
- readonly-root-filesystem-custom-tmp: user provides their own /tmp
volumeMount — chart skips both auto mount and auto volume
- readonly-root-filesystem-custom-tmp-volume: user provides headlamp-tmp
with sizeLimit — chart adds the /tmp mount but skips creating the volume
Signed-off-by: Yotam Korah <git@korah.biz>
…ith readOnlyRootFilesystem Signed-off-by: Yotam Korah <git@korah.biz>
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
Contributor
Author
|
Finally! |
YotamKorah
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes #4830 by dynamically mounting an
emptyDirvolume under /tmp if eithersecurityContext.readOnlyRootFilesystemorpodSecurityContext.readOnlyRootFilesystemaretrueRelated Issue
Fixes #4830
Changes
headlamp.readOnlyRootFilesystem, to check ifreadOnlyRootFilesystemis enabled in eithersecurityContextorpodSecurityContextvalues.tmpvolume and mount at/tmpwhen a read-only root filesystem is enabled, ensuring the application has a writable temporary directory.Steps to Test
securityContext.readOnlyRootFilesystemorpodSecurityContext.readOnlyRootFilesystemset totrueNotes
I opened this PR because this is the solution I think is the best however I did ask for comments in this slack message so I am waiting to hear opinions before marking this PR for review.