Merge pull request #1215 from ShazaAldawamneh/OCPSTRAT-1076

openshift-merge-bot[bot] · web-flow · commit 0c697720ea49 · 2025-06-16T05:40:47.000Z
OCPSTRAT-1076: Add readonlyRootFilesystem
diff --git a/bindata/nodecadaemon.yaml b/bindata/nodecadaemon.yaml
@@ -29,6 +29,7 @@ spec:
       containers:
       - name: node-ca
         securityContext:
+          readOnlyRootFilesystem: true
           privileged: true
           runAsUser: 1001
           runAsGroup: 0
diff --git a/manifests/07-operator-ibm-cloud-managed.yaml b/manifests/07-operator-ibm-cloud-managed.yaml
@@ -62,6 +62,8 @@ spec:
           requests:
             cpu: 10m
             memory: 50Mi
+        securityContext:
+          readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/run/configmaps/trusted-ca/
@@ -71,6 +73,8 @@ spec:
         - mountPath: /var/run/secrets/openshift/serviceaccount
           name: bound-sa-token
           readOnly: true
+        - mountPath: /tmp
+          name: tmp
       priorityClassName: system-cluster-critical
       serviceAccountName: cluster-image-registry-operator
       shareProcessNamespace: false
@@ -87,6 +91,8 @@ spec:
         operator: Exists
         tolerationSeconds: 120
       volumes:
+      - emptyDir: {}
+        name: tmp
       - name: image-registry-operator-tls
         secret:
           secretName: image-registry-operator-tls
diff --git a/manifests/07-operator.yaml b/manifests/07-operator.yaml
@@ -79,6 +79,8 @@ spec:
               value: /tmp/azurestackcloud.json
             - name: OPERATOR_IMAGE_VERSION
               value: 0.0.1-snapshot
+          securityContext:
+            readOnlyRootFilesystem: true
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             - name: trusted-ca
@@ -88,7 +90,11 @@ spec:
             - name: bound-sa-token
               mountPath: /var/run/secrets/openshift/serviceaccount
               readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
+        - name: tmp
+          emptyDir: {}
         - name: image-registry-operator-tls
           secret:
             secretName: image-registry-operator-tls
diff --git a/pkg/resource/podtemplatespec.go b/pkg/resource/podtemplatespec.go
@@ -13,6 +13,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	coreset "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/utils/ptr"
 
 	configapiv1 "github.com/openshift/api/config/v1"
 	v1 "github.com/openshift/api/imageregistry/v1"
@@ -511,6 +512,9 @@ func makePodTemplateSpec(coreClient coreset.CoreV1Interface, proxyLister configl
 						},
 					},
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem: ptr.To(true),
+					},
 				},
 			},
 			Volumes:                       volumes,
diff --git a/pkg/resource/prunercronjob.go b/pkg/resource/prunercronjob.go
@@ -13,6 +13,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	batchset "k8s.io/client-go/kubernetes/typed/batch/v1"
 	batchlisters "k8s.io/client-go/listers/batch/v1"
+	"k8s.io/utils/ptr"
 
 	imageregistryapiv1 "github.com/openshift/api/imageregistry/v1"
 	securityv1 "github.com/openshift/api/security/v1"
@@ -166,6 +167,9 @@ done
 											ReadOnly:  true,
 										},
 									},
+									SecurityContext: &kcorev1.SecurityContext{
+										ReadOnlyRootFilesystem: ptr.To(true),
+									},
 								},
 							},
 						},
