Merge pull request #809 from TheRealJon/CONSOLE-3791

openshift-merge-bot[bot] · web-flow · commit 91f51dca3575 · 2023-11-29T15:40:43.000Z
CONSOLE-3791: Add "readOnlyRootFilesystem" to all console conta…
diff --git a/bindata/assets/deployments/console-deployment.yaml b/bindata/assets/deployments/console-deployment.yaml
@@ -55,6 +55,7 @@ spec:
                   - "25"
           name: console
           securityContext:
+            readOnlyRootFilesystem: false
             allowPrivilegeEscalation: false
             capabilities:
               drop:
diff --git a/bindata/assets/deployments/downloads-deployment.yaml b/bindata/assets/deployments/downloads-deployment.yaml
@@ -46,6 +46,7 @@ spec:
             failureThreshold: 3
           name: download-server
           securityContext:
+            readOnlyRootFilesystem: false
             allowPrivilegeEscalation: false
             capabilities:
               drop:
diff --git a/manifests/07-operator-ibm-cloud-managed.yaml b/manifests/07-operator-ibm-cloud-managed.yaml
@@ -64,6 +64,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/run/configmaps/config
@@ -102,6 +103,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/run/configmaps/config
diff --git a/manifests/07-operator.yaml b/manifests/07-operator.yaml
@@ -43,6 +43,7 @@ spec:
       containers:
       - name: console-operator
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
@@ -92,6 +93,7 @@ spec:
             scheme: HTTPS
       - name: conversion-webhook-server
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
diff --git a/pkg/console/subresource/deployment/deployment_test.go b/pkg/console/subresource/deployment/deployment_test.go
@@ -1415,6 +1415,7 @@ func TestDefaultDownloadsDeployment(t *testing.T) {
 				},
 				Args: downloadsDeploymentTemplate.Spec.Template.Spec.Containers[0].Args,
 				SecurityContext: &corev1.SecurityContext{
+					ReadOnlyRootFilesystem: utilpointer.Bool(false),
 					Capabilities: &corev1.Capabilities{
 						Drop: []corev1.Capability{
 							"ALL",
