RFE-4153: enabled readonly filesystem

dusk125 · dusk125 · commit 2e3f2a06294d · 2025-07-08T13:09:51.000-04:00
diff --git a/bindata/assets/kube-apiserver/pod.yaml b/bindata/assets/kube-apiserver/pod.yaml
@@ -146,6 +146,7 @@ spec:
       - name: GOGC
         value: "{{ .GOGC }}"
     securityContext:
+      readOnlyRootFilesystem: true
       privileged: true
   - name: kube-apiserver-cert-syncer
     env:
@@ -169,6 +170,8 @@ spec:
       requests:
         memory: 50Mi
         cpu: 5m
+    securityContext:
+      readOnlyRootFilesystem: true
     volumeMounts:
     - mountPath: /etc/kubernetes/static-pod-resources
       name: resource-dir
@@ -194,6 +197,8 @@ spec:
       requests:
         memory: 50Mi
         cpu: 5m
+    securityContext:
+      readOnlyRootFilesystem: true
     volumeMounts:
     - mountPath: /etc/kubernetes/static-pod-resources
       name: resource-dir
@@ -211,6 +216,8 @@ spec:
       requests:
         memory: 50Mi
         cpu: 5m
+    securityContext:
+      readOnlyRootFilesystem: true
   - name: kube-apiserver-check-endpoints
     image: {{.OperatorImage}}
     imagePullPolicy: IfNotPresent
@@ -264,6 +271,8 @@ spec:
       requests:
         memory: 50Mi
         cpu: 10m
+    securityContext:
+      readOnlyRootFilesystem: true
   terminationGracePeriodSeconds: {{.GracefulTerminationDuration}}
   hostNetwork: true
   priorityClassName: system-node-critical
diff --git a/bindata/bootkube/bootstrap-manifests/kube-apiserver-pod.yaml b/bindata/bootkube/bootstrap-manifests/kube-apiserver-pod.yaml
@@ -50,6 +50,8 @@ spec:
       requests:
         memory: 1Gi
         cpu: 265m
+    securityContext:
+      readOnlyRootFilesystem: true
     volumeMounts:
     - mountPath: /etc/ssl/certs
       name: ssl-certs-host
@@ -117,6 +119,8 @@ spec:
       requests:
         memory: 50Mi
         cpu: 5m
+    securityContext:
+      readOnlyRootFilesystem: true
 {{end}}
   terminationGracePeriodSeconds: {{ .TerminationGracePeriodSeconds }}
   volumes:
diff --git a/manifests/0000_20_kube-apiserver-operator_06_deployment.yaml b/manifests/0000_20_kube-apiserver-operator_06_deployment.yaml
@@ -35,6 +35,7 @@ spec:
       - name: kube-apiserver-operator
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop: ["ALL"]
         image: docker.io/openshift/origin-cluster-kube-apiserver-operator:v4.0
