From 2d93f1e7983d971b74dd84ee3965aef0de7b2e8e Mon Sep 17 00:00:00 2001 From: Phil Gebhardt Date: Fri, 3 Apr 2026 09:40:19 -0700 Subject: [PATCH 1/3] gremlin daemonset: allow readOnlyRootFilesystem=true ## TODO - [ ] finish helm chart unit tests - [ ] finish regression testing gremlind with a read only root filesystem (including halt behaviors) --- gremlin/templates/daemonset.yaml | 1 + gremlin/values.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/gremlin/templates/daemonset.yaml b/gremlin/templates/daemonset.yaml index a928569..ed0b7a6 100644 --- a/gremlin/templates/daemonset.yaml +++ b/gremlin/templates/daemonset.yaml @@ -91,6 +91,7 @@ spec: add: {{ toYaml .Values.gremlin.podSecurity.capabilities | nindent 14 }} {{- if .Values.gremlin.podSecurity.seLinuxOptions }} seLinuxOptions: {{ toYaml .Values.gremlin.podSecurity.seLinuxOptions | nindent 12 }} + readOnlyRootFilesystem: {{ .Values.gremlin.podSecurity.readOnlyRootFilesystem }} {{- end }} env: - name: GREMLIN_TEAM_ID diff --git a/gremlin/values.yaml b/gremlin/values.yaml index 449c9ff..7a496ae 100644 --- a/gremlin/values.yaml +++ b/gremlin/values.yaml @@ -153,6 +153,7 @@ gremlin: # gremlin.podSecurity.readOnlyRootFilesystem - # Forces the Gremlin Daemonset containers to run with a read-only root filesystem + # NOTE: When true, Disk and IO experiments against the host will fail unless they target an external volume readOnlyRootFilesystem: false # gremlin.podSecurity.supplementalGroups - From 46413e4718b471504142e60d5529b7992d934d26 Mon Sep 17 00:00:00 2001 From: "Zach N." Date: Wed, 8 Apr 2026 09:33:47 -0700 Subject: [PATCH 2/3] Move readonly line out of if, add unit tests --- gremlin/templates/daemonset.yaml | 2 +- gremlin/tests/daemonset_test.yaml | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 gremlin/tests/daemonset_test.yaml diff --git a/gremlin/templates/daemonset.yaml b/gremlin/templates/daemonset.yaml index ed0b7a6..22b31e8 100644 --- a/gremlin/templates/daemonset.yaml +++ b/gremlin/templates/daemonset.yaml @@ -91,8 +91,8 @@ spec: add: {{ toYaml .Values.gremlin.podSecurity.capabilities | nindent 14 }} {{- if .Values.gremlin.podSecurity.seLinuxOptions }} seLinuxOptions: {{ toYaml .Values.gremlin.podSecurity.seLinuxOptions | nindent 12 }} - readOnlyRootFilesystem: {{ .Values.gremlin.podSecurity.readOnlyRootFilesystem }} {{- end }} + readOnlyRootFilesystem: {{ .Values.gremlin.podSecurity.readOnlyRootFilesystem }} env: - name: GREMLIN_TEAM_ID {{- /* If we aren't managing this secret and a teamID was supplied, assume teamID is not in the external secret */}} diff --git a/gremlin/tests/daemonset_test.yaml b/gremlin/tests/daemonset_test.yaml new file mode 100644 index 0000000..c025d50 --- /dev/null +++ b/gremlin/tests/daemonset_test.yaml @@ -0,0 +1,21 @@ +suite: Test other daemonset options +templates: + - daemonset.yaml +release: + name: my-release + namespace: my-namespace + revision: 1 + upgrade: true +tests: + - it: should set readOnlyRootFilesystem to false when blank + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: false + - it: should set readOnlyRootFilesystem when true + set: + gremlin.podSecurity.readOnlyRootFilesystem: true + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true From b1ca0d010588020bd922261ff902625b68e4a0fd Mon Sep 17 00:00:00 2001 From: "Zach N." Date: Wed, 8 Apr 2026 11:51:14 -0700 Subject: [PATCH 3/3] Bump patch version --- gremlin/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gremlin/Chart.yaml b/gremlin/Chart.yaml index 9fc398b..93312e8 100644 --- a/gremlin/Chart.yaml +++ b/gremlin/Chart.yaml @@ -1,5 +1,5 @@ name: gremlin -version: 0.25.1 +version: 0.25.2 description: The Gremlin Inc client application apiVersion: v1 home: https://www.gremlin.com