Merge pull request #1671 from ArthurSens/readOnlyRootFilesystem

k8s-ci-robot · web-flow · commit 9ea05e42fb90 · 2022-01-27T01:03:12.000-08:00
jsonnet: Forbid write access to root filesystem
diff --git a/examples/autosharding/statefulset.yaml b/examples/autosharding/statefulset.yaml
@@ -55,6 +55,7 @@ spec:
           timeoutSeconds: 5
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsUser: 65534
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/examples/standard/deployment.yaml b/examples/standard/deployment.yaml
@@ -42,6 +42,7 @@ spec:
           timeoutSeconds: 5
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsUser: 65534
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
@@ -163,7 +163,11 @@
         { name: 'http-metrics', containerPort: 8080 },
         { name: 'telemetry', containerPort: 8081 },
       ],
-      securityContext: { runAsUser: 65534, allowPrivilegeEscalation: false },
+      securityContext: { 
+        runAsUser: 65534, 
+        allowPrivilegeEscalation: false,        
+        readOnlyRootFilesystem: true,
+      },
       livenessProbe: { timeoutSeconds: 5, initialDelaySeconds: 5, httpGet: {
         port: 8080,
         path: '/healthz',
