deploy: run all containers with read-only filesystem

Prevent potential abuse of the container storage a little more, by running all containers with a read-only filesystem. Signed-off-by: Niels de Vos <[email protected]>
red-hat-storage · Mar 12, 2024 · 76e1396 · 76e1396
1 parent 1833f53
commit 76e1396
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -37,6 +37,7 @@ spec:
                   fieldPath: metadata.namespace
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
           livenessProbe:
             httpGet:
               path: /healthz

diff --git a/config/manager/manager_auth_proxy_patch.yaml b/config/manager/manager_auth_proxy_patch.yaml
@@ -30,6 +30,9 @@ spec:
             requests:
               cpu: 10m
               memory: 64Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
         - name: manager
           args:
             - "--namespace=$(POD_NAMESPACE)"

diff --git a/deploy/controller/setup-controller.yaml b/deploy/controller/setup-controller.yaml
@@ -56,6 +56,9 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       - args:
         - --namespace=$(POD_NAMESPACE)
         - --health-probe-bind-address=:8081
@@ -91,6 +94,7 @@ spec:
             memory: 64Mi
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: csi-addons-controller-manager