readOnlyRootFilesystem=true #2880

JSlater743 · 2022-04-04T13:19:09Z

JSlater743
Apr 4, 2022

For security and compliance reasons we are trying to run keda with readOnlyRootFilesystem enabled
FAQs say the following:

We are struggling to understand why the metrics service needs this certificate? Can anyone please explain, or point to more detailed documentation in this area.

Thanks

zroubalik · 2022-04-04T14:18:13Z

zroubalik
Apr 4, 2022
Maintainer

It's for secured communication between the KEDA Metrics Server and Kuberentes apiserver

6 replies

ygnr May 4, 2022

Is there a guide or example on how to generate and pass the certificates? @zroubalik
@JSlater743 Have you made it work?

JSlater743 May 4, 2022
Author

hi @ygnr, no we have not found a way to do this. If you find some instructions could you please let me know. Thank you

ygnr May 4, 2022

@JSlater743 Made it work with similar to what you mentioned above. I saw that certificates are created in the folder /apiserver.local.config/certificates/ so I set the mount path as that folder, like this

--set volumes.metricsApiServer.extraVolumes[0].name=keda-volume
--set volumes.metricsApiServer.extraVolumeMounts[0].name=keda-volume
--set volumes.metricsApiServer.extraVolumeMounts[0].mountPath=/apiserver.local.config/certificates/

and then set the readOnlyRootFilesystem to true on securityContext of metricServer

zroubalik May 4, 2022
Maintainer

Sorry I have been very busy and missed this, that's correct, you need to mount a volume with certs.

@ygnr would be awesome if you can open a PR to KEDA doc repo with this info, so other users can benefit

JSlater743 May 12, 2022
Author

@ygnr Awesome!! that works :-) . Thank you

joebowbeer · 2022-06-27T16:53:54Z

joebowbeer
Jun 27, 2022

Summarizing:

The FAQ answer says you can’t run KEDA with readOnlyRootFilesystem=true unless you create your own cert and configure metrics server to use it.

However it is possible to run KEDA with readOnlyRootFilesystem=true simply by creating an emptyDir volume (default type) and mounting it to the path where, by default, metrics server writes its generated cert:

/apiserver.local.config/certificates/

The helm command is:

helm install keda kedacore/keda --namespace keda \
  --set 'volumes.metricsApiServer.extraVolumes[0].name=keda-volume' \
  --set 'volumes.metricsApiServer.extraVolumeMounts[0].name=keda-volume' \
  --set 'volumes.metricsApiServer.extraVolumeMounts[0].mountPath=/apiserver.local.config/certificates/' \
  --set 'securityContext.metricServer.readOnlyRootFilesystem=true'

PR to improve FAQ answer: kedacore/keda-docs#830

0 replies

joebowbeer · 2024-09-11T03:08:27Z

joebowbeer
Sep 11, 2024

Answered?

https://keda.sh/docs/2.15/reference/faq/#how-do-i-run-keda-with-readonlyrootfilesystemtrue

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

readOnlyRootFilesystem=true #2880

{{title}}

Replies: 3 comments 6 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

readOnlyRootFilesystem=true #2880

JSlater743 Apr 4, 2022

Replies: 3 comments · 6 replies

zroubalik Apr 4, 2022 Maintainer

ygnr May 4, 2022

JSlater743 May 4, 2022 Author

ygnr May 4, 2022

zroubalik May 4, 2022 Maintainer

JSlater743 May 12, 2022 Author

joebowbeer Jun 27, 2022

joebowbeer Sep 11, 2024

JSlater743
Apr 4, 2022

Replies: 3 comments 6 replies

zroubalik
Apr 4, 2022
Maintainer

JSlater743 May 4, 2022
Author

zroubalik May 4, 2022
Maintainer

JSlater743 May 12, 2022
Author

joebowbeer
Jun 27, 2022

joebowbeer
Sep 11, 2024