Support running with read-only root filesystem #240
Description
Feed-ingress does not currently support running with the following securityContext setting, which would help to increase the security of the running container.
kind: Pod
spec:
containers:
- securityContext:
readOnlyRootFilesystem: true`feed-ingress writes to (at least):
/var/log/nginx(or wherever--access-log-dirpoints)/tmp/nginx/nginx.conf/nginx/nginx.tmpl
The first two are directories and hence an EmptyDir can be mounted for them, for example. The NGINX config and the template are individual files that live in the main /nginx directory along with other required files, hence can't be volume-mounted.
Simply using a mountable directory for the NGINX config (e.g. /nginx/conf/) might be sufficient to allow running with readOnlyRootFilesystem: true (kubesec.io docs). However, we should also check what other files feed-ingress or NGINX might write to.