Skip to content

feat(helm): hubble-relay readOnlyRootFilesystem#43653

Merged
pchaigno merged 1 commit intocilium:mainfrom
jcpunk:hubble-relay-readonlyfs
Mar 5, 2026
Merged

feat(helm): hubble-relay readOnlyRootFilesystem#43653
pchaigno merged 1 commit intocilium:mainfrom
jcpunk:hubble-relay-readonlyfs

Conversation

@jcpunk
Copy link
Copy Markdown
Contributor

@jcpunk jcpunk commented Jan 9, 2026

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

By redirecting ENV GOPS_CONFIG_DIR to /tmp the hubble-relay container can be mounted with readOnlyRootFilesystem and a small emptyDir. This is recommended for further hardening the container against any unexpected writes by the trivvy scanner.

My cilium 1.18.5 cluster ran with this for 3 days without issue.

The hubble-relay container now runs with readOnlyRootFilesystem

@jcpunk jcpunk requested review from a team as code owners January 9, 2026 22:05
@jcpunk jcpunk requested review from Artyop and glibsm January 9, 2026 22:05
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 9, 2026
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jan 9, 2026
@joestringer joestringer added the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Jan 9, 2026
@glibsm
Copy link
Copy Markdown
Member

glibsm commented Jan 9, 2026

looks like make -C install/kubernetes is missing

@jcpunk jcpunk force-pushed the hubble-relay-readonlyfs branch from 91a3029 to 1458502 Compare January 10, 2026 01:07
@jcpunk
Copy link
Copy Markdown
Contributor Author

jcpunk commented Jan 10, 2026

Ran it, squashed, and pushed.

@puwun
Copy link
Copy Markdown
Contributor

puwun commented Jan 10, 2026

documentation check is failing, make -C Documentation update-helm-values should fix it

@jcpunk jcpunk force-pushed the hubble-relay-readonlyfs branch from 1458502 to 946c8ce Compare January 10, 2026 17:48
@jcpunk
Copy link
Copy Markdown
Contributor Author

jcpunk commented Jan 10, 2026

In theory this is updated.

HadrienPatte
HadrienPatte reviewed Jan 12, 2026
View reviewed changes
@jcpunk jcpunk force-pushed the hubble-relay-readonlyfs branch from 946c8ce to 109d1a2 Compare January 12, 2026 14:55
glibsm
glibsm reviewed Jan 12, 2026
View reviewed changes
@jcpunk jcpunk force-pushed the hubble-relay-readonlyfs branch from 109d1a2 to 4d6f5f7 Compare January 13, 2026 15:53
@aanm aanm removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Jan 14, 2026
@jcpunk jcpunk force-pushed the hubble-relay-readonlyfs branch from 4d6f5f7 to e2f5690 Compare January 23, 2026 17:54
@jcpunk jcpunk force-pushed the hubble-relay-readonlyfs branch from e2f5690 to a039598 Compare February 9, 2026 21:10
@jcpunk
Copy link
Copy Markdown
Contributor Author

jcpunk commented Feb 9, 2026

I think I've got everything addressed.

Artyop
Artyop approved these changes Feb 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Artyop Artyop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Artyop

This comment was marked as outdated.

Sign in to view
@pchaigno pchaigno added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/hubble Impacts hubble server or relay labels Feb 11, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Feb 11, 2026
@pchaigno pchaigno enabled auto-merge February 11, 2026 13:57
@pchaigno
Copy link
Copy Markdown
Member

pchaigno commented Feb 11, 2026
edited
Loading

@jcpunk The Conformance Cluster Mesh failures persist so could you try to rebase on latest main and we'll see if that fixes it? I don't see how it could be related to your changes.

@jcpunk
feat(helm): hubble-relay readOnlyRootFilesystem
25ce8a9 
By redirecting ENV GOPS_CONFIG_DIR to `/tmp` the
hubble-relay container can be mounted with
readOnlyRootFilesystem and an emptyDir.

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
auto-merge was automatically disabled February 11, 2026 15:27

Head branch was pushed to by a user without write access

@jcpunk jcpunk force-pushed the hubble-relay-readonlyfs branch from a039598 to 25ce8a9 Compare February 11, 2026 15:27
@jcpunk
Copy link
Copy Markdown
Contributor Author

jcpunk commented Feb 11, 2026

rebased off head

@jcpunk
Copy link
Copy Markdown
Contributor Author

jcpunk commented Feb 16, 2026

Any guesses why this is sad?

@pchaigno pchaigno enabled auto-merge February 17, 2026 08:02
@joestringer
Copy link
Copy Markdown
Member

joestringer commented Mar 4, 2026

@cilium/sig-hubble any chance one of you could help shepherd this PR forward? We briefly looked through this PR during the community meeting today and concretely it seems to be (a) missing review from @cilium/sig-hubble , and (b) hitting CI failures that do not immediately appear to be related. That said if we think that something in the way Hubble runs could cause these failures, you would be the best ones to know.

devodev
devodev approved these changes Mar 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devodev devodev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The overall change LGTM. I agree that CI failures don't seem related to the change.

@pchaigno pchaigno added this pull request to the merge queue Mar 5, 2026
Merged via the queue into cilium:main with commit 179c8e3 Mar 5, 2026
76 checks passed
@jcpunk jcpunk deleted the hubble-relay-readonlyfs branch March 5, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Artyop Artyop Artyop approved these changes

@HadrienPatte HadrienPatte HadrienPatte approved these changes

@devodev devodev devodev approved these changes

@glibsm glibsm Awaiting requested review from glibsm

Assignees

No one assigned

Labels

area/hubble Impacts hubble server or relay kind/community-contribution This was a contribution made by a community member. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@jcpunk @glibsm @puwun @Artyop @pchaigno @joestringer @HadrienPatte @devodev @aanm