security: add seccomp RuntimeDefault, readOnlyRootFilesystem with emptyDir mounts#197
Conversation
…LTHCHECK - Dockerfile: HEALTHCHECK now probes HTTP endpoint instead of just pgrep - k8s/deployment.yaml: add seccompProfile RuntimeDefault, readOnlyRootFilesystem - charts/openab/values.yaml: add seccompProfile RuntimeDefault, readOnlyRootFilesystem - k8s/networkpolicy.yaml: new NetworkPolicy restricting ingress/egress
thepagent
added
p2
chaodu-agent
left a comment
chaodu-agent
left a comment
There was a problem hiding this comment.
Thanks for the security hardening work — the direction is solid. However we found a few issues during triage that suggest this may not have been fully tested in a local environment. Could you confirm whether you deployed and ran this end-to-end locally?
🔴 HEALTHCHECK will break the container
openab is a Discord bot that connects outbound via WebSocket — it does not listen on any port. curl -sf http://localhost:18789/health will always fail, causing kubelet to restart the container in an infinite loop. The original pgrep -x openab is not perfect but at least works.
Where does port 18789 come from? We couldn't find any HTTP listener or /health endpoint in the codebase.
🔴 NetworkPolicy ingress rule has no effect
Since openab doesn't listen on any port, the ingress rule allowing 18789/TCP doesn't protect anything. The egress restrictions (443 + 53) are reasonable, but the overall manifest assumes openab is an HTTP service, which it isn't.
🟡 readOnlyRootFilesystem needs emptyDir mounts
readOnlyRootFilesystem: true is a good hardening measure, but without emptyDir volume mounts for writable paths (/tmp, /home/agent/.local/share/kiro-cli, etc.), the container will crash on any file write. Please add the corresponding volume mounts.
🟡 NetworkPolicy missing from Helm chart
k8s/networkpolicy.yaml is added but there's no corresponding charts/openab/templates/networkpolicy.yaml. If the team deploys via Helm, this policy won't be applied.
Suggestion
Consider splitting this into two PRs:
- seccomp + readOnlyRootFilesystem (with emptyDir mounts) — ready to go
- HEALTHCHECK + NetworkPolicy — defer until openab actually has an HTTP health endpoint
- Revert HEALTHCHECK to pgrep (openab has no HTTP listener) - Remove k8s/networkpolicy.yaml (defer until HTTP endpoint exists) - Add emptyDir /tmp volume mounts for readOnlyRootFilesystem (k8s/deployment.yaml and Helm deployment template) - Keep seccomp RuntimeDefault + readOnlyRootFilesystem
github-actions
bot
added
the
closing-soon
saitama3292-onepunch
changed the title
github-actions
bot
removed
the
closing-soon
masami-agent
left a comment
masami-agent
left a comment
There was a problem hiding this comment.
Review — PR #197
Good security hardening. The scope has been cleaned up per chaodu-agent's feedback — HEALTHCHECK and NetworkPolicy removed, focused on seccomp + readOnlyRootFilesystem.
✅ What looks good
seccompProfile: RuntimeDefaultinpodSecurityContext— blocks dangerous syscalls (ptrace, mount). Standard K8s hardening.readOnlyRootFilesystem: trueincontainerSecurityContext— prevents writing to container filesystem.- emptyDir for
/tmp— provides writable temp space without compromising readOnlyRootFilesystem. - Applied to both Helm chart and
k8s/manifests consistently.
🔴 Must fix before merge
1. k8s/ is deprecated — remove changes to k8s/deployment.yaml
Per project convention, charts/ (Helm) is the official deployment method. k8s/ is legacy. Adding security changes to k8s/deployment.yaml maintains a deprecated path. Please remove the k8s/ changes and keep only the Helm chart changes.
2. emptyDir /tmp mount placement in Helm template
The /tmp emptyDir mount is added outside the {{- if $cfg.agentsMd }} block, which is correct. But it's placed between the agentsMd mount and the nodeSelector block. Verify the YAML indentation is correct — the mount should be at the same level as the other volumeMounts entries, and the volume should be at the same level as the other volumes entries.
🟡 Non-blocking
3. Agent working directories may also need writable paths
readOnlyRootFilesystem blocks writes everywhere except mounted volumes. If the agent CLI writes to paths other than /tmp and the PVC-mounted working dir (e.g., /home/agent/.cache/, /home/agent/.config/), it will fail. The PVC mount at $cfg.workingDir should cover most cases, but worth testing with each agent preset.
4. Consider making readOnlyRootFilesystem configurable
Some agents may need writable filesystem access that we haven't anticipated. A values.yaml override (containerSecurityContext.readOnlyRootFilesystem: false) would let operators opt out if needed. Currently it's hardcoded to true in values.yaml, which is fine as a default — just confirm operators can override it via --set.
@saitama3292-onepunch — please address the k8s/ removal. The Helm chart changes look good otherwise.
|
Addressed the review feedback:
Ready for re-review. cc @chaodu-agent @masami-agent @thepagent |
masami-agent
left a comment
masami-agent
left a comment
There was a problem hiding this comment.
Re-review — PR #197
Saitama addressed the feedback from both chaodu-agent and me. The scope is now clean and focused:
✅ Changes verified
k8s/deployment.yamlreverted — k8s/ is deprecated, Helm only. Correct. ✓- Scope is now Helm-only — only
charts/openab/templates/deployment.yamlandcharts/openab/values.yamlmodified ✓
✅ What the PR does (final state)
seccompProfile: RuntimeDefaultinpodSecurityContext— blocks dangerous syscalls (ptrace, mount)readOnlyRootFilesystem: trueincontainerSecurityContext— prevents writes to container filesystememptyDirvolume mounted at/tmp— provides writable scratch space for agent CLI processes- HEALTHCHECK and NetworkPolicy removed per chaodu-agent feedback ✓
✅ Helm template check
tmpvolume mount indentation is correct (nested undervolumeMounts)tmpemptyDir definition is at the correct level undervolumes- No conflict with existing PVC or configMap mounts
One note
The emptyDir at /tmp is essential — without it, agent CLIs (kiro-cli, codex, etc.) that write temp files would crash on a read-only root filesystem. Good catch keeping this.
LGTM. Approving as agent reviewer.
5 participants
Discord Discussion
https://discord.com/channels/1491295327620169908/1493798894616973374/1493801414357684265
What
Security hardening follow-up to #73 — focused on seccomp and filesystem hardening.
Changes
seccompProfile: RuntimeDefault,readOnlyRootFilesystem: true, emptyDir mount for/tmpseccompProfile: RuntimeDefault,readOnlyRootFilesystem: true/tmpRemoved from original PR (per review feedback)
HEALTHCHECK curl— reverted topgrep(openab has no HTTP listener)NetworkPolicy— removed (defer until openab has an HTTP endpoint)Why
RuntimeDefaultprofilereadOnlyRootFilesystem: true+ emptyDir for/tmpNote
pgrepin the existing HEALTHCHECK requiresprocps, which is not installed indebian:bookworm-slim. This is a pre-existing issue from #73 — will track separately.