Improve support for readOnlyRootFs

[TobiasDeBruijn]

Hey there,

I want to make all my pods have a readOnlyRootFs, this however proved difficult for Transmission, not impossible though. This is how I had to solve the couple of issues. This is specific to Kubernetes and PIA as provider:

I had to create a couple of emptyDirs, for /tmp, /etc/openvpn/pia and /etc/transmission:

volumes:
- name: tmp
  emptyDir: {}
- name: etc-openvpn-pia
  emptyDir: {}
- name: etc-transmission
  emptyDir: {}

Mounted at /tmp, /etc/openvpn/pia and /etc/transmission respectively:

volumeMounts:
- name: tmp
  mountPath: /tmp
- name: etc-openvpn-pia
  mountPath: /etc/openvpn/pia
- name: etc-transmission
  mountPath: /etc/transmission

This too caused some issues, for /etc/openvpn/pia it was missing two scripts it needs and the configuration files. This was solved with the following initContainer:

initContainers:
- name: etc-openvpn-pia
  image: haugene/transmission-openvpn:3.7.1
  volumeMounts:
  - name: etc-openvpn-pia
    mountPath: /mnt/etc/openvpn/pia
  env:
  - name: VPN_PROVIDER_HOME
    value: /etc/openvpn/pia
  command: ["bash", "-c", "sh /etc/openvpn/pia/configure-openvpn.sh && cp /etc/openvpn/pia/* /mnt/etc/openvpn/pia"]

For /etc/transmission it too was missing required scripts, this too was solved with an initContainer:

initContainers:
- name: etc-transmission
  image: haugene/transmission-openvpn:3.7.1
  volumeMounts:
  - name: etc-transmission
    mountPath: /mnt/etc/transmission
  command: ["bash", "-c", "cp /etc/transmission/* /mnt/etc/transmission"]

With that, you have a working Transmission with

securityContext:
  readOnlyRootFilesystem: true

Possible, but difficult and verbose.

The 'Feature request' then here is, can we make this easier?

Thanks!

[pkishino]

What’s the use case and benefits of this? Security? Against what?
Anyway, feel free to create a PR for this if possible and we can talk there

[TobiasDeBruijn]

Security yeah. It doesn't add a lot compared to e.g not running as root, but it does contribute slightly.