Read only root file system

Hi,
i am trying to deploy KOTS admin console on shared cluster with strict container security policies,
i generated manifest as KOTS install was not working directly,
however --strict-security-context cannot be used to generate manifests with restricted security context,
i was able to make minio stateful set up and running but rqlite and kotsadm are still giving me similar errors:

“must-have-readonlyrootfilesystem only read-only root filesystem container is allowed”

my context looks like this:
securityContext:
capabilities:
drop:
- ALL
privileged: false
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false

and syntax is applied correctly

could you advice how to solve this issue? how should rqlite and kotsadm deployments should look like?
thank you,
Rafał

Hi @rosmolak,

The following is both the Pod and Container security contexts, respectively, that are applied to all KOTS resources (kotsadm, rqlite, and minio) when running kots install with the --strict-security-context flag.

Pod Security Context:

      securityContext:
        fsGroup: 1001
        runAsGroup: 1001
        runAsNonRoot: true
        runAsUser: 1001
        seccompProfile:
          type: RuntimeDefault
        supplementalGroups:
        - 1001

Container Security Context:

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true

The following Kubernetes docs indicate where these fields are specified: Configure a Security Context for a Pod or Container | Kubernetes.

@rosmolak, I also have a follow up question. You mentioned:

i generated manifest as KOTS install was not working directly

Could you elaborate more about why the direct KOTS install failed? Were you using the --strict-security-context flag?