Description: Due to security reasons, we might want to run a delegate on K8s with the root file system as read-only. This causes delegates to fail and not start.
Additional constraints:
- Allow exec permissions in rootFileSystem i.e allow start.sh from /opt/harness-delegate but do not allow write in the /opt/harness-delegate.
- Mount additional volumes where we want ALL writes to happen but do not allow any exec from this directory.
Summary: Exec permissions and Write permissions are not allowed together on the same directory/mount point.
Proposal/Suggestion:
Create a start_wrapper.sh script to work with PVC instead of emptyDir.
- Introduce a new env in delegate yaml to let customer specify a “working directory”.
a. Is it possible to use the HOME env variable defined in Delegate YAML? - Make changes to the CD swimlane to use the directory directory to perform all write operations, for e.g
a. All writes to/tmp
b. Creating helm repo yaml (add repo command)
c. Git clone
d. Terraform