readonlyfilesystem and running as not-root (from helm example) makes pod fail about yetibot HOT 3 OPEN

Thanks for reporting @KlavsKlavsen. These suggested settings were generated by the helm chart, but they aren't actually supported (I've never tested them). Yetibot requires write access for logging, at the very least. That can be disabled though.

Do you think it's an important feature? We could see if it works with logging disabled.

from yetibot.

@devth It is a HUGE security feature to make the process run as none-root.. in OpenShift you aren't even allowed do run a docker instance that doesn't work running as not-root - and with good reason. Many docker/pod escapes only works if the process inside runs as root.. So if this can be disabled, it greatly increases k8s security level for the pod (minimizing chance of escape greatly).
Here's one example: https://medium.com/@DahlitzF/run-python-applications-as-non-root-user-in-docker-containers-by-example-cba46a0ff384 (for python process - its even simpler for a GO application :)

and as to readonlyfilesystem - the norm is to log to stdout/stderr - removing the need for logging to the filesystem - to avoid the need for write access (and hence an attack on code inside pod/container can't actually write anything to the container.. which is often a huge part of subverting/attacking a service.

from yetibot.

The rolling log appender can be disabled. Looks like this config option wasn't documented, but I added it in yetibot/core@254da5c.

Agree on the standard to log to stdout/stderr in container environments. I just disabled it by default in the Helm chart: yetibot/yetibot-helm@988fd7d...a115098

Thanks for brining up running as non root. Agree we should support this.

from yetibot.