Allow running with read only file system (#1884)

* Allow running with read only file system

* CR fixes
Support rendering graphs images from DD toolset

* CR fixes

Author: arikalon1

helm/robusta/templates/runner.yaml

@@ -41,6 +41,24 @@ spec:
       securityContext:
       {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.runner.hardenedFs }}
+      initContainers:
+      - name: setup-venv
+        {{- if .Values.runner.image }}
+        image: {{ .Values.runner.image }}
+        {{ else }}
+        image: {{ .Values.image.registry }}/{{ .Values.runner.imageName }}
+        {{- end }}
+        command:
+          - sh
+          - -c
+          - >
+            SRC="/venv/lib/$(python -V | cut -d' ' -f2 | cut -d. -f1,2)/site-packages" &&
+            cp -a "${SRC}/." /venv-writable/
+        volumeMounts:
+        - name: venv-lib-volume
+          mountPath: /venv-writable
+      {{- end }}
       containers:
       - name: runner
         {{- if .Values.runner.image }}
@@ -51,7 +69,12 @@ spec:
         imagePullPolicy: {{ .Values.runner.imagePullPolicy }}
         {{- with .Values.runner.securityContext.container }}
         securityContext:
-        {{- toYaml . | nindent 12 }}
+        {{- if $.Values.runner.hardenedFs }}
+          {{- $hardened := merge (dict "readOnlyRootFilesystem" true) . }}
+          {{- toYaml $hardened | nindent 12 }}
+        {{- else }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
         {{- end }}
         env:
           - name: PLAYBOOKS_CONFIG_FILE_PATH
@@ -129,6 +152,16 @@ spec:
           - name: persistent-playbooks-storage
             mountPath: /etc/robusta/playbooks/storage
           {{- end }}
+          {{- if .Values.runner.hardenedFs }}
+          - name: tmp-volume
+            mountPath: /tmp
+          - name: app-git-volume
+            mountPath: /app/robusta-git
+          - name: cache-volume
+            mountPath: /root/.cache
+          - name: venv-lib-volume
+            mountPath: /venv/lib/python3.11/site-packages
+          {{- end }}
           {{- with .Values.runner.extraVolumeMounts }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
@@ -182,6 +215,16 @@ spec:
           persistentVolumeClaim:
             claimName: persistent-playbooks-pv-claim
         {{- end }}
+        {{- if .Values.runner.hardenedFs }}
+        - name: tmp-volume
+          emptyDir: {}
+        - name: app-git-volume
+          emptyDir: {}
+        - name: cache-volume
+          emptyDir: {}
+        - name: venv-lib-volume
+          emptyDir: {}
+        {{- end }}
         {{- with .Values.runner.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

helm/robusta/values.yaml

@@ -706,6 +706,8 @@ runner:
       privileged: false
       readOnlyRootFilesystem: false
     pod: {}
+  # Enable hardened filesystem security (read-only root filesystem with writable volume mounts)
+  hardenedFs: false
 
 kube-prometheus-stack:
   alertmanager:

src/robusta/core/playbooks/internal/ai_integration.py

@@ -359,7 +359,7 @@ def holmes_chat(event: ExecutionBaseEvent, params: HolmesChatParams):
         if params.render_graph_images:
             try:
                 for tool in holmes_result.tool_calls:
-                    if tool.tool_name != "execute_prometheus_range_query":
+                    if tool.tool_name not in ["execute_prometheus_range_query", "query_datadog_metrics"]:
                         continue
                     holmes_result.analysis = re.sub(r"<<.*?>>", "", holmes_result.analysis).strip()
                     json_content = json.loads(tool.result["data"])