Hi,
Im currently running keycloak as a pod in a kubernetes cluster and would like some advice on how to secure it.
Currently, we have a default pod security policy where the readOnlyRootFilesystem is set to true. However, it appears that at runtime, keycloak will create this file called /opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json. The way I would usually fix this would be to mount an empty directory for the service to write to, however this is not possible in the case as the configuration folder already contains other files and mounting the directory would replace all of them.
Therefore I would like some advice on whether or not its possible (or even advisable) for keycloak to write all its runtime generated files to a different folder and then reference it afterwards or if the only way is to use another pod security policy that would allow for writing to the root filesystem.
Any advice would be very much appreciated. Thanks!