config: set readOnlyRootFilesystem on all containers

vdemeester · openshift-merge-bot[bot] · commit c6acc1e5012d · 2025-06-18T13:17:25.000Z
`readOnlyRootFilesystem` will keep you from writing anywhere other
than a mounted volume. It's not just the root directory but the entire
root filesystem.

It's a security best practice that we should embrace in all the Tekton
components.

Signed-off-by: Vincent Demeester &lt;vincent@sbr.pm&gt;
diff --git a/config/kubernetes/500-controller.yaml b/config/kubernetes/500-controller.yaml
@@ -75,6 +75,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsUser: 65532
           capabilities:
             drop:
diff --git a/config/kubernetes/500-webhook.yaml b/config/kubernetes/500-webhook.yaml
@@ -55,6 +55,7 @@ spec:
               type: RuntimeDefault
             runAsNonRoot: true
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             runAsUser: 65532
             capabilities:
               drop:
diff --git a/config/openshift/500-controller.yaml b/config/openshift/500-controller.yaml
@@ -75,6 +75,7 @@ spec:
             type: RuntimeDefault
           # runAsNonRoot: true
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           # runAsUser: 65532
           capabilities:
             drop:
diff --git a/config/openshift/500-webhook.yaml b/config/openshift/500-webhook.yaml
@@ -55,6 +55,7 @@ spec:
               type: RuntimeDefault
             # runAsNonRoot: true
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             # runAsUser: 65532
             capabilities:
               drop:
