Hi,
We're evaluating moving our application deployments from Kubernetes to ECS, but one of the requirements we're struggling with in ECS is command execution. We experimented with ECS Exec, but it requires disabling the readonlyRootFilesystem security feature - see Using Amazon ECS Exec for debugging:
The SSM agent requires that the container file system is able to be written to in order to create the required directories and files. Therefore, making the root file system read-only using the readonlyRootFilesystem task definition parameter, or any other method, isn't supported.
How do ECS users typically deal with this tradeoff? Do you disable readonlyRootFilesystem and find another security measure to mitigate its absence? Or do you forego ECS Exec and find another way to troubleshoot your containers, e.g. by adding more logging to your app?
Thanks,
Jim
AWS 官方已更新 2 年前