From 27ec49149e98da218b73031f4e0ab5ccd1cea6a2 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 12 Nov 2025 13:30:15 -0600 Subject: [PATCH 1/5] intel(chart): enable read-only FS support fIXES #6962 - Add initContainer to mkdir/chown /run/volatile/*, /var/log/nginx, /var/cache/nginx - Mount EmptyDir at /run, /var/log/nginx, /var/cache/nginx, /tmp, /var/tmp - Fix writes under /run/volatile and nginx pid/log on RO FS --- charts/intel/templates/deployment.yaml | 61 ++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index ffc0a9c..12731c1 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -27,6 +27,48 @@ spec: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} + {{- if .Values.securityContext.readOnlyRootFilesystem }} + initContainers: + - name: init-writable-dirs + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /bin/sh + - -c + - | + set -euo pipefail + for p in \ + /run/volatile \ + /run/volatile/clients \ + /run/volatile/dashboard \ + /run/volatile/log-codetogether \ + /run/volatile/nginx \ + /run/volatile/plugins \ + /run/volatile/var-cache ; do + mkdir -p "$p" + done + mkdir -p /var/log/nginx + mkdir -p /var/cache/nginx + CHOWN_UID="{{ default 10001 .Values.securityContext.runAsUser }}" + CHOWN_GID="{{ default (default 10001 .Values.securityContext.runAsUser) .Values.securityContext.runAsGroup }}" + chown -R "${CHOWN_UID}:${CHOWN_GID}" /run /tmp /var/tmp /var/log/nginx /var/cache/nginx || true + securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + volumeMounts: + - name: runtime-tmp + mountPath: /run + - name: runtime-tmp + mountPath: /var/log/nginx + - name: runtime-tmp + mountPath: /var/cache/nginx + - name: tmp + mountPath: /tmp + - name: tmp + mountPath: /var/tmp + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: @@ -116,6 +158,18 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} + {{- if .Values.securityContext.readOnlyRootFilesystem }} + - name: runtime-tmp + mountPath: /run + - name: runtime-tmp + mountPath: /var/log/nginx + - name: runtime-tmp + mountPath: /var/cache/nginx + - name: tmp + mountPath: /tmp + - name: tmp + mountPath: /var/tmp + {{- end }} ports: - name: http containerPort: 1080 @@ -164,6 +218,13 @@ spec: secret: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} + {{- if .Values.securityContext.readOnlyRootFilesystem }} + - name: runtime-tmp + emptyDir: {} + - name: tmp + emptyDir: + medium: Memory + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} From f82e003b4117a31a2affb0298b4c1e621d705d59 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Fri, 14 Nov 2025 12:00:22 -0600 Subject: [PATCH 2/5] intel(chart): simplify readonly FS support - Remove initContainer, handled now in Dockerfile - Keep only EmptyDir mounts for /run, /var/log/nginx, /var/cache/nginx, /tmp, /var/tmp --- charts/intel/templates/deployment.yaml | 41 ++++---------------------- 1 file changed, 6 insertions(+), 35 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 12731c1..243c577 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,37 +26,12 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} - serviceAccountName: {{ include "codetogether.serviceAccountName" . }} - {{- if .Values.securityContext.readOnlyRootFilesystem }} - initContainers: - - name: init-writable-dirs - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/sh - - -c - - | - set -euo pipefail - for p in \ - /run/volatile \ - /run/volatile/clients \ - /run/volatile/dashboard \ - /run/volatile/log-codetogether \ - /run/volatile/nginx \ - /run/volatile/plugins \ - /run/volatile/var-cache ; do - mkdir -p "$p" - done - mkdir -p /var/log/nginx - mkdir -p /var/cache/nginx - CHOWN_UID="{{ default 10001 .Values.securityContext.runAsUser }}" - CHOWN_GID="{{ default (default 10001 .Values.securityContext.runAsUser) .Values.securityContext.runAsGroup }}" - chown -R "${CHOWN_UID}:${CHOWN_GID}" /run /tmp /var/tmp /var/log/nginx /var/cache/nginx || true + serviceAccountName: {{ include "codetogether.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} securityContext: - runAsUser: 0 - runAsGroup: 0 - readOnlyRootFilesystem: false - allowPrivilegeEscalation: false + {{- toYaml .Values.securityContext | nindent 12 }} + {{- if .Values.securityContext.readOnlyRootFilesystem }} volumeMounts: - name: runtime-tmp mountPath: /run @@ -68,11 +43,7 @@ spec: mountPath: /tmp - name: tmp mountPath: /var/tmp - {{- end }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: From 505d3657099619e93526eda1c5b36931d0cb9429 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Fri, 14 Nov 2025 12:06:44 -0600 Subject: [PATCH 3/5] Fixes --- charts/intel/templates/deployment.yaml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 243c577..bc57c6e 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,24 +26,11 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} - serviceAccountName: {{ include "codetogether.serviceAccountName" . }} + serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - {{- if .Values.securityContext.readOnlyRootFilesystem }} - volumeMounts: - - name: runtime-tmp - mountPath: /run - - name: runtime-tmp - mountPath: /var/log/nginx - - name: runtime-tmp - mountPath: /var/cache/nginx - - name: tmp - mountPath: /tmp - - name: tmp - mountPath: /var/tmp - {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: From 0fd6469b4efff485b272e9c3704f03c67f4950aa Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Tue, 18 Nov 2025 13:10:44 -0600 Subject: [PATCH 4/5] Fix --- charts/intel/templates/deployment.yaml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index bc57c6e..b649d3f 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -117,12 +117,12 @@ spec: subPath: cacerts {{- end }} {{- if .Values.securityContext.readOnlyRootFilesystem }} - - name: runtime-tmp - mountPath: /run - - name: runtime-tmp + - name: run-volatile + mountPath: /run/volatile + - name: var-log-nginx mountPath: /var/log/nginx - - name: runtime-tmp - mountPath: /var/cache/nginx + - name: run-nginx + mountPath: /run - name: tmp mountPath: /tmp - name: tmp @@ -177,7 +177,11 @@ spec: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} {{- if .Values.securityContext.readOnlyRootFilesystem }} - - name: runtime-tmp + - name: run-volatile + emptyDir: {} + - name: var-log-nginx + emptyDir: {} + - name: run-nginx emptyDir: {} - name: tmp emptyDir: From 4c701c9583bda1df59c179b52edabae6f809e5ea Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Tue, 18 Nov 2025 13:20:05 -0600 Subject: [PATCH 5/5] Unifying as Collab Chart --- charts/intel/templates/deployment.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index b649d3f..392c02e 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -119,8 +119,6 @@ spec: {{- if .Values.securityContext.readOnlyRootFilesystem }} - name: run-volatile mountPath: /run/volatile - - name: var-log-nginx - mountPath: /var/log/nginx - name: run-nginx mountPath: /run - name: tmp @@ -179,10 +177,6 @@ spec: {{- if .Values.securityContext.readOnlyRootFilesystem }} - name: run-volatile emptyDir: {} - - name: var-log-nginx - emptyDir: {} - - name: run-nginx - emptyDir: {} - name: tmp emptyDir: medium: Memory