Home > database >  Kubernetes crashloopbackoff error after adding readOnlyRootFilesystem: true
Kubernetes crashloopbackoff error after adding readOnlyRootFilesystem: true

Time:05-03

Azure Kubernetes service is giving recommendation- mutable (read-only) root filesystem should be enforced for containers

My deployment is working as expected without it but after adding readOnlyRootFilesystem: true It's not working because the container can not write.

I am also using PVC with azure storage files and It shows successful binding but It always shows empty.

Here is my deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-healthy-deployment
  labels:
    app: redis
spec:
  replicas: 3
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
      annotations:
        container.apparmor.security.beta.kubernetes.io/redis: runtime/default
    spec:
      containers:
      - name: redis
        image: <customer-registry>.azurecr.io/redis:latest
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 100m
            memory: 250Mi
        securityContext:
          privileged: false
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1000
       volumeMounts:
       - mountPath: "/mnt/azure"
         name: volume
       - mountPath: "mnt/secrets-store"
         name: secrets-mount
         readOnly: true
   volumes:
    - name: volume
      persistentVolumeClaim:
        claimName: helloworld-pvc 
    - name: secrets-mount
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-keyvault"

and here are the errors from pod :

rm: can't remove '/home/test/mi-4.0.0/tmp/README': Read-only file system
rm: can't remove '/home/test/mi-4.0.0/tmp/work': Read-only file system

If I am using PVC then doesn't pod/container should write to PVC ??

I will really appreciate it if someone can help fix this. I am happy to provide more details

CodePudding user response:

It's true that read-only file system is preferable, if possible. However, some application need to write to data to disk, for one or another reason.

Your error is not regarding the mounted volume, but regarding the /tmp directory.

You can keep your read only file system am make only that part writable by mounting an empty dir volume to this path.

volumes:
  - name: tmp
    emptyDir: {}
volumeMounts:
  - name: tmp
    mountPath: /home/test/mi-4.0.0/tmp

Note that the volume will overwrite the location where is being mounted to. If you need data in this directory when the container starts, you could opt for an initContainer that mounts the same volume and adds the required files to it.

  • Related