Description
Whenever possible, we try to run our software with readOnlyRootFilesystem: true. Currently the helm chart provided, does not allow for this without manually editing the chart. In our testing, the controller seems to function just fine with this set in the securityContext. If possible, we'd like a mechanism for setting this in the chart without manually pulling it down and modifying it.
If this is something you're willing to support in the chart, and assuming we aren't missing anything that requires a filesystem, I'd be happy to open a PR for this. I initially see three ways to implement this:
Make readOnlyRootFilesystem the default
This assumes that we are not over looking something in the controller that requires the ability to write to the filesystem. It's the easiest to implement, but probably the riskiest. I'm not sure how acceptable that risk is.
Make readOnlyRootFilesystem a parameter in the values file
This is pretty straight forward, but it feels awkward to me because it would be the only thing in securityContext to be configured this way.
Make securityContext configurable in the values file
If we do this, the default could be what it is now in the deployment, and then teams with the readOnlyRootFilesystem requirement have a means of configuring this. The only drawback is that it's more possibility for the user to get something wrong that can negatively impact their application.
Out of these three approaches, I'd prefer number 1 since it's good to default to least privileges whenever possible, but I can understand if you don't want that as the default. If not 1, then I'd vote for number 3.