Add tmp emptydir mounting

Author: dusk125

bindata/assets/kube-apiserver/pod.yaml

@@ -19,6 +19,8 @@ spec:
       volumeMounts:
         - mountPath: /var/log/kube-apiserver
           name: audit-dir
+        - mountPath: /tmp
+          name: tmp-dir
       command: ['/usr/bin/timeout', '{{.SetupContainerTimeoutDuration}}', '/bin/bash', '-ec']
       args:
       - |
@@ -60,6 +62,7 @@ spec:
         # We cannot hold the lock from the init container to the main container. We release it here. There is no risk, at this point we know we are safe.
         flock -u "${LOCK_FD}"
       securityContext:
+        readOnlyRootFilesystem: true
         privileged: true
       resources:
         requests:
@@ -98,6 +101,8 @@ spec:
       name: cert-dir
     - mountPath: /var/log/kube-apiserver
       name: audit-dir
+    - mountPath: /tmp
+      name: tmp-dir
     livenessProbe:
       httpGet:
         scheme: HTTPS
@@ -177,6 +182,8 @@ spec:
       name: resource-dir
     - mountPath: /etc/kubernetes/static-pod-certs
       name: cert-dir
+    - mountPath: /tmp
+      name: tmp-dir
   - name: kube-apiserver-cert-regeneration-controller
     env:
     - name: POD_NAMESPACE
@@ -202,6 +209,8 @@ spec:
     volumeMounts:
     - mountPath: /etc/kubernetes/static-pod-resources
       name: resource-dir
+    - mountPath: /tmp
+      name: tmp-dir
   - name: kube-apiserver-insecure-readyz
     image: {{.OperatorImage}}
     imagePullPolicy: IfNotPresent
@@ -248,6 +257,8 @@ spec:
         name: resource-dir
       - mountPath: /etc/kubernetes/static-pod-certs
         name: cert-dir
+      - mountPath: /tmp
+        name: tmp-dir
     ports:
       - name: check-endpoints
         hostPort: 17697
@@ -288,3 +299,5 @@ spec:
   - hostPath:
       path: /var/log/kube-apiserver
     name: audit-dir
+  - emptyDir: {}
+    name: tmp-dir

bindata/bootkube/bootstrap-manifests/kube-apiserver-pod.yaml

@@ -69,6 +69,8 @@ spec:
       name: logs
     - mountPath: /var/log/kube-apiserver
       name: audit-dir
+    - mountPath: /tmp
+      name: tmp-dir
     livenessProbe:
       httpGet:
         scheme: HTTPS
@@ -142,3 +144,5 @@ spec:
   - hostPath:
       path: /var/log/kube-apiserver
     name: audit-dir
+  - emptyDir: {}
+    name: tmp-dir

manifests/0000_20_kube-apiserver-operator_06_deployment.yaml

@@ -59,6 +59,8 @@ spec:
         - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
           name: kube-api-access
           readOnly: true
+        - mountPath: /tmp
+          name: tmp-dir
         env:
         - name: IMAGE
           value: quay.io/openshift/origin-hyperkube:v4.0
@@ -99,6 +101,8 @@ spec:
                   apiVersion: v1
                   fieldPath: metadata.namespace
                 path: namespace
+      - name: tmp-dir
+        emptyDir: {}
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: "system-cluster-critical"