Support Security Context "readonlyRootFilesystem"

[hfjeche]

Is your feature request related to a problem? Please describe.
We are using data prepper to forward otel trace data to AWS managed OpenSearch. Our security team would like to enhance Kubernetes OPA requirement for container level security context as

securityContext:
readonlyRootFilesystem

Data Prepper are showing below error in the log

ERROR StatusConsoleListener Unable to create file log/data-prepper/data-prepper.log

java.io.IOException: Could not create directory /usr/share/data-prepper/log/data-prepper
at org.apache.logging.log4j.core.util.FileUtils.mkdir(FileUtils.java:128)
at org.apache.logging.log4j.core.util.FileUtils.makeParentDirs(FileUtils.java:141)

Once I mounted emptydir() for the log path, then data prepper failed on
Caused by: java.lang.RuntimeException: Unable to create the directory at the provided path: service-map

Describe the solution you'd like
A separate mountable filesystem to minimize the security risk

Describe alternatives you've considered (Optional)
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[dlvenable]

@hfjeche ,

Data Prepper currently does expect to be able to write to the file system for at least two purposes:

1. Writing log files
2. The service_map processor stores data locally

What is the solution you would like for this?

We could probably make the service_map not use a file by configuration. You can see where this is currently used here:

data-prepper/data-prepper-plugins/service-map-stateful/src/main/java/org/opensearch/dataprepper/plugins/processor/ServiceMapStatefulProcessor.java

Line 106 in 01c9b4a

ServiceMapStatefulProcessor.dbPath = createPath(databasePath);

Would you be able to create a PR to disable the local storage for service_map?

What about the logs - where would you like those?