diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index b92668250a..5511e685c7 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml index 70f2d59203..a63f72ab6b 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index a9ee8f4a51..211fb469f3 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -40,6 +40,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml index 05bd24878d..4cc12c36e9 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -39,6 +39,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index e646ea96cb..815c368766 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -40,6 +40,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml index e923733d8a..23834e350f 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -39,6 +39,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index b92668250a..5511e685c7 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml index 70f2d59203..a63f72ab6b 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index a9ee8f4a51..211fb469f3 100644 --- a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -40,6 +40,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml index 2e9c360d9d..3d7dac67fe 100644 --- a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -39,6 +39,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index e646ea96cb..815c368766 100644 --- a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -40,6 +40,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml index e923733d8a..23834e350f 100644 --- a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -39,6 +39,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml index 2fcf86353f..c077a62ae0 100644 --- a/pkg/manifests/csv.yaml +++ b/pkg/manifests/csv.yaml @@ -114,6 +114,7 @@ spec: - name: packageserver securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/scripts/catalog-deployment.patch.yaml b/scripts/catalog-deployment.patch.yaml index bba2481abc..7633ce38f8 100644 --- a/scripts/catalog-deployment.patch.yaml +++ b/scripts/catalog-deployment.patch.yaml @@ -15,6 +15,7 @@ path: spec.template.spec.containers[*].securityContext value: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] - command: update diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index f159e6250a..69a30bcd6b 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -202,6 +202,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -220,6 +221,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/scripts/olm-deployment.patch.yaml b/scripts/olm-deployment.patch.yaml index 7db75ae51d..0fb75c5066 100644 --- a/scripts/olm-deployment.patch.yaml +++ b/scripts/olm-deployment.patch.yaml @@ -23,6 +23,7 @@ path: spec.template.spec.containers[*].securityContext value: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] - command: update diff --git a/scripts/packageserver-deployment.patch.yaml b/scripts/packageserver-deployment.patch.yaml index 2e5c2456eb..da73dcae71 100644 --- a/scripts/packageserver-deployment.patch.yaml +++ b/scripts/packageserver-deployment.patch.yaml @@ -40,6 +40,7 @@ path: spec.install.spec.deployments[0].spec.template.spec.containers[*].securityContext value: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] - command: update