Summary
Add first-class support for configuring securityContext.readOnlyRootFilesystem: true across all GreptimeDB Helm chart components (cluster, standalone, operator) to meet container security best practices and pass security compliance scans.
Problem
Security scanning tools are flagging GreptimeDB pods for not having a read-only root filesystem enabled. The following components are affected:
Affected GreptimeDB components:
greptimedb-dev-datanode-0greptimedb-dev-datanode-1greptimedb-dev-datanode-2greptimedb-dev-flownode-0greptimedb-dev-greptimedb-frontendgreptimedb-dev-greptimedb-operator
The remediation guidance is: "Handle according to remediation steps and re-deploy."
Current State
The charts currently expose securityContext as an empty object {} in values.yaml for the standalone chart and via podTemplate.main.securityContext for the cluster chart. While users can technically set readOnlyRootFilesystem: true, there is:
- No documentation or guidance on which paths need to remain writable (via
emptyDir or persistent volumes).
- No pre-configured
tmpDir or writable volume mounts for directories that GreptimeDB needs to write to (e.g., /tmp, log directories, data directories).
- Risk of breaking the application if
readOnlyRootFilesystem is enabled without the correct writable volume mounts.
Expected Behavior
- Users should be able to set
readOnlyRootFilesystem: true via Helm values for all components (frontend, datanode, flownode, meta, standalone).
- The chart should automatically mount writable
emptyDir volumes for paths that require write access (e.g., /tmp, log directories) when readOnlyRootFilesystem is enabled.
- Documentation should clearly describe how to enable this feature and any implications.
Acceptance Criteria
References
Summary
Add first-class support for configuring
securityContext.readOnlyRootFilesystem: trueacross all GreptimeDB Helm chart components (cluster, standalone, operator) to meet container security best practices and pass security compliance scans.Problem
Security scanning tools are flagging GreptimeDB pods for not having a read-only root filesystem enabled. The following components are affected:
Affected GreptimeDB components:
greptimedb-dev-datanode-0greptimedb-dev-datanode-1greptimedb-dev-datanode-2greptimedb-dev-flownode-0greptimedb-dev-greptimedb-frontendgreptimedb-dev-greptimedb-operatorThe remediation guidance is: "Handle according to remediation steps and re-deploy."
Current State
The charts currently expose
securityContextas an empty object{}invalues.yamlfor the standalone chart and viapodTemplate.main.securityContextfor the cluster chart. While users can technically setreadOnlyRootFilesystem: true, there is:emptyDiror persistent volumes).tmpDiror writable volume mounts for directories that GreptimeDB needs to write to (e.g.,/tmp, log directories, data directories).readOnlyRootFilesystemis enabled without the correct writable volume mounts.Expected Behavior
readOnlyRootFilesystem: truevia Helm values for all components (frontend, datanode, flownode, meta, standalone).emptyDirvolumes for paths that require write access (e.g.,/tmp, log directories) whenreadOnlyRootFilesystemis enabled.Acceptance Criteria
securityContext.readOnlyRootFilesystemcan be set totruefor all components without breaking functionality.emptyDiror persistent volumes when readonly filesystem is enabled.References