dongjoon-hyun opened a new pull request, #743:
URL: https://github.com/apache/spark-kubernetes-operator/pull/743

   ### What changes were proposed in this pull request?
   
   This PR aims to enable `readOnlyRootFilesystem` for the operator container 
in the Helm chart.
   
   Since the operator writes temporary files under `java.io.tmpdir` 
(SPARK-57918), an `emptyDir`
   volume is mounted at `/tmp`, following the existing `logs-volume` pattern.
   
   ### Why are the changes needed?
   
   A read-only root filesystem prevents tampering with the container image at 
runtime and
   completes the CIS Benchmark hardening on top of the existing restricted Pod 
Security
   Standard compliance.
   
   ### Does this PR introduce _any_ user-facing change?
   
   Yes. The operator container root filesystem becomes read-only by default; 
writable paths are
   provided via `emptyDir` volumes (`/tmp`, `/opt/spark-operator/logs`). Users 
can override
   `operatorDeployment.operatorPod.operatorContainer.securityContext` if needed.
   
   ### How was this patch tested?
   
   Pass the CIs. Also manually verified with `helm lint --strict` and `helm 
template`.
   
   ### Was this patch authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Fable 5


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to