Skip to content

NO-ISSUE: Enabled readonlyRootFilesystem by default #3614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Aug 12, 2025
Merged

NO-ISSUE: Enabled readonlyRootFilesystem by default #3614

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c04a283
Enabled readonlyRootFilesystem by default
dusk125 Jul 24, 2025
cc6fe51
Enable in reconciler as well
dusk125 Jul 24, 2025
b6a8643
Enable in chart templates
dusk125 Jul 30, 2025
0dc6645
Fix typo
dusk125 Aug 4, 2025
a23e1f4
Ensure volumes and volumeMount objects exists
dusk125 Aug 5, 2025
a70ccda
Fixing default rorfs for legacy mode and fix tests
dusk125 Aug 5, 2025
e2dd97b
Only enable rorfs when running as non-root user
dusk125 Aug 7, 2025
660e0bb
Update tests
dusk125 Aug 8, 2025
bc09d7c
Fix errors
dusk125 Aug 11, 2025
f21c444
Update unit tests
dusk125 Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,13 @@ spec:
secret:
secretName: {{ .Values.olm.clientCASecret }}
{{- end }}
- name: tmpfs
emptyDir: {}
containers:
- name: olm-operator
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ "ALL" ]
{{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
Expand All @@ -54,6 +57,8 @@ spec:
mountPath: "/profile-collector-cert"
readOnly: true
{{- end }}
- name: tmpfs
mountPath: /tmp
command:
- /bin/olm
args:
Expand Down
5 changes: 5 additions & 0 deletions deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,13 @@ spec:
secret:
secretName: {{ .Values.catalog.clientCASecret }}
{{- end }}
- name: tmpfs
emptyDir: {}
containers:
- name: catalog-operator
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ "ALL" ]
{{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
Expand All @@ -54,6 +57,8 @@ spec:
mountPath: "/profile-collector-cert"
readOnly: true
{{- end }}
- name: tmpfs
mountPath: /tmp
command:
- /bin/catalog
args:
Expand Down
1 change: 1 addition & 0 deletions deploy/chart/templates/_packageserver.deployment-spec.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ spec:
- name: packageserver
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ "ALL" ]
command:
Expand Down
3 changes: 3 additions & 0 deletions pkg/controller/bundle/bundle_unpacker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand All @@ -180,6 +181,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -209,6 +211,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down
18 changes: 18 additions & 0 deletions pkg/controller/bundle/bundle_unpacker_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand All @@ -334,6 +335,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -363,6 +365,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -524,6 +527,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand All @@ -550,6 +554,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -579,6 +584,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -780,6 +786,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand All @@ -806,6 +813,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -835,6 +843,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -1031,6 +1040,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand All @@ -1057,6 +1067,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -1086,6 +1097,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -1252,6 +1264,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand All @@ -1278,6 +1291,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -1307,6 +1321,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -1486,6 +1501,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand All @@ -1512,6 +1528,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down Expand Up @@ -1541,6 +1558,7 @@ func TestConfigMapUnpacker(t *testing.T) {
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(bool(false)),
ReadOnlyRootFilesystem: ptr.To(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Expand Down
4 changes: 3 additions & 1 deletion pkg/controller/registry/reconciler/reconciler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s
},
},
SecurityContext: &corev1.SecurityContext{
ReadOnlyRootFilesystem: ptr.To(false),
ReadOnlyRootFilesystem: ptr.To(true),
},
ImagePullPolicy: image.InferImagePullPolicy(img),
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
Expand Down Expand Up @@ -361,6 +361,7 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) {
pod.Spec.InitContainers[i].SecurityContext = &corev1.SecurityContext{}
}
pod.Spec.InitContainers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false)
pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true)
pod.Spec.InitContainers[i].SecurityContext.Capabilities = &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
}
Expand All @@ -370,6 +371,7 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) {
pod.Spec.Containers[i].SecurityContext = &corev1.SecurityContext{}
}
pod.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false)
pod.Spec.Containers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true)
pod.Spec.Containers[i].SecurityContext.Capabilities = &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
}
Expand Down
Loading