Trying to set readOnlyRootFilesystem: true to mitigate azure defender finding

[srikanth1685]

hello all,

to mitigate an azure defender fix for setting readOnlyRootFilesystem: true for the controller , can you please guide me or direct me to understand what are the volume mounts needed to make the deployment work?

tried adding these but i cant get the pod up and running in AKS as below

│ Autoscroll:On FullScreen:Off Timestamps:Off Wrap:Off │
│ ------------------------------------------------------------------------------- │
│ NGINX Ingress controller │
│ Release: v1.11.5 │
│ Build: 97ffeee │
│ Repository: https://github.com/kubernetes/ingress-nginx │
│ nginx version: nginx/1.25.5 │
│ │
│ ------------------------------------------------------------------------------- │
│ │
│ W1013 10:55:24.984095 7 client_config.go:667] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. │
│ I1013 10:55:24.984217 7 main.go:205] "Creating API client" host="https://172.16.0.1:443" │
│ I1013 10:55:24.999834 7 main.go:248] "Running in Kubernetes cluster" major="1" minor="32" git="v1.32.7" state="clean" commit="d5f83cad5f5356b280b95 │
│ I1013 10:55:25.009080 7 main.go:83] "Valid default backend" service="nginx-ingress/nginx-ingress-ingress-nginx-defaultbackend" │
│ I1013 10:55:25.186941 7 main.go:101] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem" │
│ I1013 10:55:25.227394 7 ssl.go:535] "loading tls certificate" path="/usr/local/certificates/cert" key="/usr/local/certificates/key" │
│ F1013 10:55:25.239879 7 nginx.go:175] Invalid NGINX configuration template: unexpected error reading template /etc/nginx/template/nginx.tmpl: open │
│ stream closed: EOF for nginx-ingress/nginx-ingress-ingress-nginx-controller-twk5x (controller)

│ F1013 10:46:38.099641 7 nginx.go:175] Invalid NGINX configuration template: unexpected error reading template /etc/nginx/template/nginx.tmpl: open │
│ stream closed: EOF for nginx-ingress/nginx-ingress-ingress-nginx-controller-xkzcw (controller)

extraVolumeMounts:
- name: nginx-conf
mountPath: /etc/nginx
- name: tmp-nginx
mountPath: /tmp/nginx
- name: tmp-nginx-cache
mountPath: /tmp/nginx_cache
- name: var-run
mountPath: /var/run
- name: ssl-dir
mountPath: /etc/ingress-controller/ssl
- name: telemetry
mountPath: /etc/ingress-controller/telemetry
- name: var-lib-nginx
mountPath: /var/lib/nginx
- name: nginx-cache
mountPath: /var/cache/nginx
- name: nginx-tmp
mountPath: /tmp
- name: var-log-nginx
mountPath: /var/log/nginx

- name: copy-portal-skins

mountPath: /var/lib/lemonldap-ng/portal/skins

-- Additional volumes to the controller pod.

extraVolumes:
- name: nginx-conf
emptyDir: {}
- name: tmp-nginx
emptyDir: {}
- name: tmp-nginx-cache
emptyDir: {}
- name: var-run
emptyDir: {}
- name: ssl-dir
emptyDir: {}
- name: telemetry
emptyDir: {}
- name: var-lib-nginx
emptyDir: {}
- name: nginx-cache
emptyDir: {}
- name: nginx-tmp
emptyDir: {}
- name: var-log-nginx
emptyDir: {}

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Gacko]

First of all v1.11 is no longer supported. Second we do not support setting readOnlyRootFilesystem to true. And last but not least I would ask you to understand the meaning of this security advisory.

Microsoft Defender tells a lot, but in many cases these recommendations are meant for users who do not configure their workload properly and therefore miss some security hardening measurements. For example this controller requires API server access and therefore it mounts a service account token. The controller won't work without the service account token, but still Microsoft Defender is telling people to turn off the autoMountServiceAccountToken option, which would effectively break the controller. So people ask us to implement an option to be able to turn off autoMountServiceAccountToken and manually configure it via volumes and volumeMounts instead. In the end the result is exactly the same: A pod with the service account token mounted. Manually. Less maintainable. To me this is a step backwards, but at least Microsoft Defender is no longer complaining.

So I would ask you to do some research on why Microsoft Defender is recommending turning on readOnlyRootFilesystem. In our particular case the efforts of making it work with readOnlyRootFilesystem: true out of the box might not be worth satisfying Microsoft Defender. In the end you should already have all the possibilities to implement this on your own by using volumes and volume mounts.