From 93f78321ec6cef0e60f7f5f9f390c70f477eacee Mon Sep 17 00:00:00 2001 From: "J. Q." <55899496+jawadqur@users.noreply.github.com> Date: Mon, 2 Feb 2026 11:26:52 -0600 Subject: [PATCH 1/3] Change fuse-container to non-privileged --- hatchery/pods.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hatchery/pods.go b/hatchery/pods.go index a44d027..3360170 100644 --- a/hatchery/pods.go +++ b/hatchery/pods.go @@ -547,7 +547,7 @@ func buildPod(hatchConfig *FullHatcheryConfig, hatchApp *Container, userName str Name: "fuse-container", Image: hatchConfig.Config.Sidecar.Image, SecurityContext: &k8sv1.SecurityContext{ - Privileged: &trueVal, + Privileged: &falseVal, RunAsUser: &sideCarRunAsUser, RunAsGroup: &sideCarRunAsGroup, }, From f23341164be4f3a1e0e83b0f771888a983a7c2b7 Mon Sep 17 00:00:00 2001 From: "J. Q." <55899496+jawadqur@users.noreply.github.com> Date: Mon, 2 Feb 2026 11:48:04 -0600 Subject: [PATCH 2/3] remove bidirectional mount --- hatchery/pods.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hatchery/pods.go b/hatchery/pods.go index 3360170..7e3957e 100644 --- a/hatchery/pods.go +++ b/hatchery/pods.go @@ -491,7 +491,7 @@ func buildPod(hatchConfig *FullHatcheryConfig, hatchApp *Container, userName str { MountPath: "/data", Name: "shared-data", - MountPropagation: &bidirectional, + // MountPropagation: &hostToContainer, }, { MountPath: "/.gen3", From e67073477a7226b250492e580a83cb485392705d Mon Sep 17 00:00:00 2001 From: "J. Q." <55899496+jawadqur@users.noreply.github.com> Date: Mon, 2 Feb 2026 11:56:53 -0600 Subject: [PATCH 3/3] remove bidirectional --- hatchery/pods.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hatchery/pods.go b/hatchery/pods.go index 7e3957e..e5cd221 100644 --- a/hatchery/pods.go +++ b/hatchery/pods.go @@ -368,7 +368,7 @@ func buildPod(hatchConfig *FullHatcheryConfig, hatchApp *Container, userName str var sideCarRunAsUser int64 var sideCarRunAsGroup int64 var hostToContainer = k8sv1.MountPropagationHostToContainer - var bidirectional = k8sv1.MountPropagationBidirectional + // var bidirectional = k8sv1.MountPropagationBidirectional var envVars []k8sv1.EnvVar // a null image indicates a dockstore app - always mount user volume mountUserVolume := hatchApp.UserVolumeLocation != ""