Kubernetes Argo workflows are failing with psp-readonlyrootfilesystem error

Question

I've the following argo workflow which has securityContext added. After running it, it's failing with ReadOnlyRootFileSystem error as mentioned below.

Here is the workflow yaml.

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: hello-world-
spec:
  entrypoint: whalesay
  templates:
  - name: whalesay
    container:
      image: docker/whalesay:latest
      command: [cowsay]
      args: ["hello world"]
      securityContext:
        readOnlyRootFilesystem: true

and the error is as below:

Warning  WorkflowNodeError  17s  workflow-controller  Error node hello-world-tcdbg: admission webhook "validation.gatekeeper.sh" denied the request: [psp-readonlyrootfilesystem] only read-only root filesystem container is allowed: wait

[psp-readonlyrootfilesystem] only read-only root filesystem container is allowed: init

Am I using securityContext in wrong position or am I missing anything? what's the fix for it?

Answer 1

Try using init containers in the yaml file as :

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: init-container-
spec:
  entrypoint: init-container-example
  templates:
  - name: init-container-example
    container:
      image: alpine:latest
      command: ["echo", "bye"]
      securityContext: 
            readOnlyRootFilesystem: true
      volumeMounts:
      - name: foo
        mountPath: /foo
    initContainers:
    - name: hello
      image: alpine:latest
      command: ["echo", "hello"]
      mirrorVolumeMounts: true
  volumes:
    - name: foo
      emptyDir: {}

Note: readOnlyRootFilesystem: true that this field cannot be set when spec.os.name is windows.

For more information follow this yaml for any changes and modifications.