Merge pull request #1208 from dusk125/rofs

openshift-merge-bot[bot] · web-flow · commit a7d6e43ff019 · 2025-07-30T21:40:07.000Z
OTA-1480: Add readonlyRootFilesystem
diff --git a/bootstrap/bootstrap-pod.yaml b/bootstrap/bootstrap-pod.yaml
@@ -19,6 +19,7 @@ spec:
     - "--kubeconfig=/etc/kubernetes/kubeconfig"
     securityContext:
       privileged: true
+      readOnlyRootFilesystem: true
     terminationMessagePolicy: FallbackToLogsOnError
     volumeMounts:
     - mountPath: /etc/ssl/certs
diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml
@@ -44,6 +44,8 @@ spec:
             cpu: 20m
             memory: 50Mi
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /etc/ssl/certs
           name: etc-ssl-certs
diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go
@@ -208,7 +208,7 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri
 		}}
 		container.SecurityContext = &corev1.SecurityContext{
 			Privileged:             ptr.To(true),
-			ReadOnlyRootFilesystem: ptr.To(false),
+			ReadOnlyRootFilesystem: ptr.To(true),
 		}
 		container.Resources = corev1.ResourceRequirements{
 			Requests: corev1.ResourceList{
@@ -244,17 +244,19 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri
 					Command: []string{"mkdir", tmpDir},
 				}),
 				setContainerDefaults(corev1.Container{
-					Name: "move-operator-manifests-to-temporary-directory",
+					Name: "copy-operator-manifests-to-temporary-directory",
 					Command: []string{
-						"mv",
+						"cp",
+						"-r",
 						filepath.Join(payload.DefaultPayloadDir, payload.CVOManifestDir),
 						filepath.Join(tmpDir, payload.CVOManifestDir),
 					},
 				}),
 				setContainerDefaults(corev1.Container{
-					Name: "move-release-manifests-to-temporary-directory",
+					Name: "copy-release-manifests-to-temporary-directory",
 					Command: []string{
-						"mv",
+						"cp",
+						"-r",
 						filepath.Join(payload.DefaultPayloadDir, payload.ReleaseManifestDir),
 						filepath.Join(tmpDir, payload.ReleaseManifestDir),
 					},
diff --git a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml
@@ -44,6 +44,8 @@ spec:
             cpu: 20m
             memory: 50Mi
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /etc/ssl/certs
           name: etc-ssl-certs
