Enable readonlyRootFilesystem by default

dusk125 · dusk125 · commit 2be3df93a8b4 · 2025-07-24T11:58:14.000-04:00
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -41,6 +41,7 @@ spec:
           name: kube-rbac-proxy
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           ports:
@@ -59,6 +60,7 @@ spec:
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           command:
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -41,6 +41,7 @@ spec:
           name: kube-rbac-proxy
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           ports:
@@ -59,6 +60,7 @@ spec:
         - name: package-server-manager
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           command:
diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
@@ -40,6 +40,7 @@ spec:
         - name: olm-operator
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           volumeMounts:
diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml
@@ -39,6 +39,7 @@ spec:
         - name: olm-operator
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           volumeMounts:
diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml
@@ -40,6 +40,7 @@ spec:
         - name: catalog-operator
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           volumeMounts:
diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -39,6 +39,7 @@ spec:
         - name: catalog-operator
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: ["ALL"]
           volumeMounts:
diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml
@@ -114,6 +114,7 @@ spec:
                   - name: packageserver
                     securityContext:
                       allowPrivilegeEscalation: false
+                      readOnlyRootFilesystem: true
                       capabilities:
                         drop: ["ALL"]
                     command:
