deploy: add patch for stricter pod security

tjohnson31415 · njhill · commit 541d0ae9645c · 2023-09-28T14:59:47.000-07:00
Signed-off-by: Travis Johnson &lt;tsjohnso@us.ibm.com&gt;
diff --git a/deployment/base/deployment.yaml b/deployment/base/deployment.yaml
@@ -23,6 +23,7 @@ spec:
 
           securityContext:
             allowPrivilegeEscalation: false
+            privileged: false
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
diff --git a/deployment/base/patches/read-only-root-filesystem.yaml b/deployment/base/patches/read-only-root-filesystem.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: inference-server
+spec:
+  template:
+    spec:
+      containers:
+        - name: server
+          env:
+            # set base directory for caches
+            - name: HF_HOME
+              value: /tmp/
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}
