Connect: `run-shiny-*` pods on AKS are denied by `azurev3readonlyrootfilesystem` policy

[pat-s]

Just as an FYI and possibly to help others stumbling here in the future.

Here's the policy description:

Kubernetes cluster containers should run with a read only root file system

Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Would it be possible to set this as the default for the connect pods or would this break the application and one needs to disable this policy for Connect?

[colearendt]

Thanks for raising this! We have started some digging into this avenue, but today this policy will definitely conflict with the service itself (i.e. Connect), which writes a handful of temp files, etc.

I believe this will also cause issues with the content processes as well. For instance, every R process automatically gets a temp directory (which will be written to the ephemeral filesystem), which is used for such things as file uploads, etc. We may have avenues we can take using emptyDir volumes or some such to get around this issue, but for now I think your best bet is to disable this policy if possible. We aim to do more testing and provide better guidance for handling these types of policies in the future.

[pat-s]

Thanks for the quick reply! Saves me from further trial and error applies regarding readOnlyRootFilesystem: true etc :)

[dbkegley]

This is not something we plan to support.