Any plans to support setting the "readOnlyRootFilesystem" securityContext via okteto manifest?

Hi there! The Okteto manifest allows you to override some of the container’s security context for development purposes: Okteto Manifest | Okteto Documentation

One of the settings it’s missing is the “readOnlyRootFilesystem” setting, which we have enabled on all our containers by default because of recommendations from security scanners like Checkov. For the dev containers, it seems we need to write to the root filesystem because of some python-specific setup requirements when initializing them.

It’s definitely possible for us to overlay another values.<env>.yaml file via Helm to change this for remote-dev workloads, but it’d be much more convenient if the okteto manifest let us alter this. I’m not sure if it’s possible or easy either way, given how these directories are already mounted by the workload before the dev container starts, but figured I’d ask.

This is what happens in our python app when we try to connect a dev container via okteto up

Persistent volume successfully attached
 ✓  Images successfully pulled
 ✓  Files synchronized
    Context:   <on-prem-url>
    Namespace: <me>
    Name:      api
    Forward:   30005 -> 5000
               30006 -> 3306
    Reverse:   5556 <- 5556

Defaulting to user installation because normal site-packages is not writeable
Obtaining file:///api
  Preparing metadata ( ... done
WARNING: Error parsing requirements for api: Invalid URL: wheelhouse/marshmallow_v1
Installing collected packages: api
  Running develop for api
    error: subprocess-exited-with-error
    × python develop did not run successfully.
    │ exit code: 1
    ╰─> [27 lines of output]
        running develop
        error: can't create or remove files in install directory
        The following error occurred while trying to add or remove files in the
        installation directory:
            [Errno 30] Read-only file system: '/root/.local/lib/python3.8/site-packages/test-easy-install-90.write-test'
        The installation directory you specified (via --install-dir, --prefix, or
        the distutils default setting) was:
        Perhaps your account does not have write access to this directory?  If the
        installation directory is a system-owned directory, you may need to sign in
        as the administrator or "root" account.  If you do not have administrative
        access to this machine, you may wish to choose a different installation
        directory, preferably one that is listed in your PYTHONPATH environment
        For information on other options, you may wish to consult the
        documentation at:

        Please make the appropriate changes for your system and try again.
        [end of output]
    note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error
1 Like