Skip to content

Commit 23745ef

Browse files
authored
fix: codecov: remove readOnlyRootFilesystem (#267)
Remove readOnlyRootFilesystem from Codecov app containers Codecov third-party images (api, worker, frontend, gateway) require a writable root filesystem for startup scripts and asset configuration. Add kube-linter ignore annotations to suppress the check for these containers. Infrastructure pods retain readOnlyRootFilesystem: true. Assisted-by: Cursor
1 parent 392d099 commit 23745ef

1 file changed

Lines changed: 8 additions & 20 deletions

File tree

components/codecov/internal-staging/codecov.yaml

Lines changed: 8 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ metadata:
77
labels:
88
app: codecov
99
component: api
10+
annotations:
11+
ignore-check.kube-linter.io/no-read-only-root-fs: "third-party image requires writable root fs for startup scripts"
1012
spec:
1113
replicas: 1
1214
selector:
@@ -33,7 +35,6 @@ spec:
3335
memory: 512Mi
3436
securityContext:
3537
runAsNonRoot: true
36-
readOnlyRootFilesystem: true
3738
volumeMounts:
3839
- name: codecov-config
3940
mountPath: /config
@@ -73,6 +74,8 @@ metadata:
7374
labels:
7475
app: codecov
7576
component: worker
77+
annotations:
78+
ignore-check.kube-linter.io/no-read-only-root-fs: "third-party image requires writable root fs for startup scripts"
7679
spec:
7780
replicas: 1
7881
selector:
@@ -100,7 +103,6 @@ spec:
100103
memory: 512Mi
101104
securityContext:
102105
runAsNonRoot: true
103-
readOnlyRootFilesystem: true
104106
volumeMounts:
105107
- name: codecov-config
106108
mountPath: /config
@@ -124,6 +126,8 @@ metadata:
124126
labels:
125127
app: codecov
126128
component: frontend
129+
annotations:
130+
ignore-check.kube-linter.io/no-read-only-root-fs: "third-party image runs sed on built assets at startup"
127131
spec:
128132
replicas: 1
129133
selector:
@@ -150,7 +154,6 @@ spec:
150154
memory: 256Mi
151155
securityContext:
152156
runAsNonRoot: true
153-
readOnlyRootFilesystem: true
154157
env:
155158
- name: CODECOV_BASE_HOST
156159
valueFrom:
@@ -181,10 +184,6 @@ spec:
181184
mountPath: /config
182185
- name: tmp
183186
mountPath: /tmp
184-
- name: nginx-cache
185-
mountPath: /var/cache/nginx
186-
- name: nginx-run
187-
mountPath: /var/run
188187
volumes:
189188
- name: codecov-config
190189
secret:
@@ -194,10 +193,6 @@ spec:
194193
path: codecov.yml
195194
- name: tmp
196195
emptyDir: {}
197-
- name: nginx-cache
198-
emptyDir: {}
199-
- name: nginx-run
200-
emptyDir: {}
201196
---
202197
apiVersion: v1
203198
kind: Service
@@ -223,6 +218,8 @@ metadata:
223218
labels:
224219
app: codecov
225220
component: gateway
221+
annotations:
222+
ignore-check.kube-linter.io/no-read-only-root-fs: "third-party image requires writable root fs for haproxy config generation"
226223
spec:
227224
replicas: 1
228225
selector:
@@ -249,7 +246,6 @@ spec:
249246
memory: 128Mi
250247
securityContext:
251248
runAsNonRoot: true
252-
readOnlyRootFilesystem: true
253249
env:
254250
- name: CODECOV_GATEWAY_MINIO_ENABLED
255251
value: "true"
@@ -260,10 +256,6 @@ spec:
260256
mountPath: /config
261257
- name: tmp
262258
mountPath: /tmp
263-
- name: haproxy-run
264-
mountPath: /var/run
265-
- name: haproxy-lib
266-
mountPath: /var/lib/haproxy
267259
volumes:
268260
- name: codecov-config
269261
secret:
@@ -273,10 +265,6 @@ spec:
273265
path: codecov.yml
274266
- name: tmp
275267
emptyDir: {}
276-
- name: haproxy-run
277-
emptyDir: {}
278-
- name: haproxy-lib
279-
emptyDir: {}
280268
---
281269
apiVersion: v1
282270
kind: Service

0 commit comments

Comments
 (0)