ratify icon indicating copy to clipboard operation
ratify copied to clipboard
verified publisher icon ratify-project

Allow for customizable security context in the ratify deployment

Open matt-demers opened this issue 8 months ago • 2 comments

What would you like to be added?

The ratify helm chart hardcodes a security context in the ratify deployment yaml. Namely, it hardcodes readOnlyRootFilesystem: false, which does not follow CIS best practices. I assume this is set to false so the pod can support the dynamic plugins feature, but we would like to be able to override the security context to disable this flag to meet our compliance requirements. It should also be possible to add an emptyDir volume to the pod at the plugin path, so the pod does not need to set readOnlyRootFilesystem: false

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • [ ] Yes, I am willing to implement it.

matt-demers avatar Jun 04 '25 17:06 matt-demers

Hi @matt-demers , thanks for reporting it! We're currenlty developing Ratify V2, and have set it as true in main branch. Since you're still using Ratify v1, wonder if you could help fix it in v1-dev branch. If not, we can fix it later.

binbin-li avatar Jun 10 '25 03:06 binbin-li

@matt-demers in the latest v2 dev version, we already set it to true per your suggestion: https://github.com/notaryproject/ratify/blob/main/deployments/ratify-gatekeeper-provider/templates/deployment.yaml#L32

binbin-li avatar Jul 25 '25 08:07 binbin-li