fix(helm): enable readOnlyRootFilesystem + /tmp emptyDir for executor#59
Open
bart-agent[bot] wants to merge 1 commit intomainfrom
Open
fix(helm): enable readOnlyRootFilesystem + /tmp emptyDir for executor#59bart-agent[bot] wants to merge 1 commit intomainfrom
bart-agent[bot] wants to merge 1 commit intomainfrom
Conversation
Enables readOnlyRootFilesystem: true in the default securityContext and adds a tmpDir emptyDir volume (enabled by default) mounted at /tmp, so uv and other tools that write to /tmp work correctly in hardened pod environments. Relates to CUS-8308, ING-2257. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
skrydal
requested changes
Apr 13, 2026
Contributor
skrydal
left a comment
skrydal
left a comment
There was a problem hiding this comment.
This change will effectively break deployments for users who do not use code having the change from other PR: https://github.com/acryldata/datahub-fork/pull/8991/changes
As that one sets the HOME/UV_CACHE_DIR to /tmp/....
This is too high of a risk and moreover we shouldn't be mixing up 2 layers of responsibility (config and execution). Please set default values for HOME and UV_CACHE_DIR in values of the helm chart. The change in the datahub-executor will be rendered not needed then.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
readOnlyRootFilesystem: true+runAsNonRoot: true+runAsUser: 1000in the defaultsecurityContext(previously commented-out defaults)tmpDirfeature flag (enabled: trueby default) that mounts a writableemptyDirat/tmp— required so uv's cache dir and other tooling that writes to/tmpcontinue to work under the enforced read-only root FSsecurityContextor overridetmpDir.enabled: falseare unaffectedRelates to CUS-8308, ING-2257.
Test plan
readOnlyRootFilesystem: trueand verify executor starts and runs ingestion without filesystem errors/tmpis writable inside the container (uv cache writes succeed)securityContext: {}override are unaffected🤖 Generated with Claude Code