Merge pull request #1864 from dusk125/rofs

RFE-4153: enabled readonly filesystem

Author: openshift-merge-bot[bot]

bindata/assets/kube-apiserver/pod.yaml

@@ -19,6 +19,8 @@ spec:
       volumeMounts:
         - mountPath: /var/log/kube-apiserver
           name: audit-dir
+        - mountPath: /tmp
+          name: tmp-dir
       command: ['/usr/bin/timeout', '{{.SetupContainerTimeoutDuration}}', '/bin/bash', '-ec']
       args:
       - |
@@ -60,6 +62,7 @@ spec:
         # We cannot hold the lock from the init container to the main container. We release it here. There is no risk, at this point we know we are safe.
         flock -u "${LOCK_FD}"
       securityContext:
+        readOnlyRootFilesystem: true
         privileged: true
       resources:
         requests:
@@ -98,6 +101,10 @@ spec:
       name: cert-dir
     - mountPath: /var/log/kube-apiserver
       name: audit-dir
+    - mountPath: /tmp
+      name: tmp-dir
+    - mountPath: /etc/pki/ca-trust/extracted/pem
+      name: ca-bundle-dir
     livenessProbe:
       httpGet:
         scheme: HTTPS
@@ -146,6 +153,7 @@ spec:
       - name: GOGC
         value: "{{ .GOGC }}"
     securityContext:
+      readOnlyRootFilesystem: true
       privileged: true
   - name: kube-apiserver-cert-syncer
     env:
@@ -169,11 +177,15 @@ spec:
       requests:
         memory: 50Mi
         cpu: 5m
+    securityContext:
+      readOnlyRootFilesystem: true
     volumeMounts:
     - mountPath: /etc/kubernetes/static-pod-resources
       name: resource-dir
     - mountPath: /etc/kubernetes/static-pod-certs
       name: cert-dir
+    - mountPath: /tmp
+      name: tmp-dir
   - name: kube-apiserver-cert-regeneration-controller
     env:
     - name: POD_NAMESPACE
@@ -194,9 +206,13 @@ spec:
       requests:
         memory: 50Mi
         cpu: 5m
+    securityContext:
+      readOnlyRootFilesystem: true
     volumeMounts:
     - mountPath: /etc/kubernetes/static-pod-resources
       name: resource-dir
+    - mountPath: /tmp
+      name: tmp-dir
   - name: kube-apiserver-insecure-readyz
     image: {{.OperatorImage}}
     imagePullPolicy: IfNotPresent
@@ -211,6 +227,8 @@ spec:
       requests:
         memory: 50Mi
         cpu: 5m
+    securityContext:
+      readOnlyRootFilesystem: true
   - name: kube-apiserver-check-endpoints
     image: {{.OperatorImage}}
     imagePullPolicy: IfNotPresent
@@ -241,6 +259,8 @@ spec:
         name: resource-dir
       - mountPath: /etc/kubernetes/static-pod-certs
         name: cert-dir
+      - mountPath: /tmp
+        name: tmp-dir
     ports:
       - name: check-endpoints
         hostPort: 17697
@@ -264,6 +284,8 @@ spec:
       requests:
         memory: 50Mi
         cpu: 10m
+    securityContext:
+      readOnlyRootFilesystem: true
   terminationGracePeriodSeconds: {{.GracefulTerminationDuration}}
   hostNetwork: true
   priorityClassName: system-node-critical
@@ -279,3 +301,7 @@ spec:
   - hostPath:
       path: /var/log/kube-apiserver
     name: audit-dir
+  - emptyDir: {}
+    name: tmp-dir
+  - emptyDir: {}
+    name: ca-bundle-dir

manifests/0000_20_kube-apiserver-operator_06_deployment.yaml

@@ -35,6 +35,7 @@ spec:
       - name: kube-apiserver-operator
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop: ["ALL"]
         image: docker.io/openshift/origin-cluster-kube-apiserver-operator:v4.0
@@ -58,6 +59,8 @@ spec:
         - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
           name: kube-api-access
           readOnly: true
+        - mountPath: /tmp
+          name: tmp-dir
         env:
         - name: IMAGE
           value: quay.io/openshift/origin-hyperkube:v4.0
@@ -98,6 +101,8 @@ spec:
                   apiVersion: v1
                   fieldPath: metadata.namespace
                 path: namespace
+      - name: tmp-dir
+        emptyDir: {}
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: "system-cluster-critical"