OTA-1480: Add readonlyRootFilesystem

dusk125 · dusk125 · commit 6c94535f2eec · 2025-07-02T10:48:23.000-04:00
diff --git a/bootstrap/bootstrap-pod.yaml b/bootstrap/bootstrap-pod.yaml
@@ -19,6 +19,7 @@ spec:
     - "--kubeconfig=/etc/kubernetes/kubeconfig"
     securityContext:
       privileged: true
+      readOnlyRootFilesystem: true
     terminationMessagePolicy: FallbackToLogsOnError
     volumeMounts:
     - mountPath: /etc/ssl/certs
diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml
@@ -44,6 +44,8 @@ spec:
             cpu: 20m
             memory: 50Mi
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /etc/ssl/certs
           name: etc-ssl-certs
diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go
@@ -264,6 +264,9 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri
 				setContainerDefaults(corev1.Container{
 					Name:    "rename-to-final-location",
 					Command: []string{"mv", tmpDir, dir},
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem: ptr.To(true),
+					},
 				}),
 			},
 			Volumes: []corev1.Volume{{
diff --git a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml
@@ -44,6 +44,8 @@ spec:
             cpu: 20m
             memory: 50Mi
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /etc/ssl/certs
           name: etc-ssl-certs
