From eb0f2b083c5df8b24291b8e708ff9fa923f45d90 Mon Sep 17 00:00:00 2001 From: Xiangjing Li <55890329+xiangjingli@users.noreply.github.com> Date: Mon, 29 Jan 2024 16:49:24 -0500 Subject: [PATCH] enable readOnlyRootFilesystem on subscription addon pod (#384) * enable readOnlyRootFilesystem on subscription addon pod Signed-off-by: Xiangjing Li * --amend Signed-off-by: Xiangjing Li --------- Signed-off-by: Xiangjing Li --- addon/manifests/chart/templates/deployment.yaml | 6 +++++- pkg/utils/gitrepo.go | 10 ++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/addon/manifests/chart/templates/deployment.yaml b/addon/manifests/chart/templates/deployment.yaml index d792c81f..191fa38f 100644 --- a/addon/manifests/chart/templates/deployment.yaml +++ b/addon/manifests/chart/templates/deployment.yaml @@ -63,7 +63,7 @@ spec: periodSeconds: 15 securityContext: privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1000 @@ -81,10 +81,14 @@ spec: volumeMounts: - name: klusterlet-config mountPath: /var/run/klusterlet + - mountPath: /tmp + name: tmp volumes: - name: klusterlet-config secret: secretName: {{ .Values.hubKubeConfigSecret }} + - emptyDir: {} + name: tmp {{- if .Values.global.imagePullSecret }} imagePullSecrets: - name: "{{ .Values.global.imagePullSecret }}" diff --git a/pkg/utils/gitrepo.go b/pkg/utils/gitrepo.go index 7549b658..cf939bdb 100644 --- a/pkg/utils/gitrepo.go +++ b/pkg/utils/gitrepo.go @@ -263,7 +263,7 @@ func CloneGitRepo(cloneOptions *GitCloneOption) (commitID string, err error) { options, err := getConnectionOptions(cloneOptions, true) if err != nil { - klog.Error("Failed to get Git clone options with the primary channel. Trying the secondary channel.") + klog.Errorf("Failed to get Git clone options with the primary channel. Trying the secondary channel. err: %v", err) usingPrimary = false } @@ -273,11 +273,11 @@ func CloneGitRepo(cloneOptions *GitCloneOption) (commitID string, err error) { if err != nil { if !usingPrimary { // we could not get both primary and secondary Git connection options. return error - klog.Error("Failed to get Git clone options with the secondary channel.") + klog.Errorf("Failed to get Git clone options with the secondary channel. err: %v", err) return "", err } - klog.Warning("Failed to get Git clone options with the secondary channel.") + klog.Warning("Failed to get Git clone options with the secondary channel. err: %v", err) } // we could not get the connection options with the primary channel but we got it with the secondary channel. Use it instead @@ -285,7 +285,8 @@ func CloneGitRepo(cloneOptions *GitCloneOption) (commitID string, err error) { if secondaryOptions == nil { // if trying the secondary connection option but nothing there, return error // at this point, we have no Git connection options - return "", errors.New("failed to build git connection options") + klog.Error("failed to build secondary git connection options") + return "", errors.New("failed to build secondary git connection options") } options = secondaryOptions @@ -320,6 +321,7 @@ func CloneGitRepo(cloneOptions *GitCloneOption) (commitID string, err error) { return "", errors.New("Failed to clone git: " + secondaryOptions.URL + " branch: " + cloneOptions.Branch.String() + Error + err.Error()) } } else { + klog.Errorf("failed to clone secondary git channel. err: %v", err) return "", errors.New("Failed to clone git: " + options.URL + " branch: " + cloneOptions.Branch.String() + Error + err.Error()) } }