add readOnlyFileSystem

dfajmon · dfajmon · commit 86a2d6d39698 · 2025-03-03T11:25:33.000+01:00
diff --git a/assets/csi_controller_deployment.yaml b/assets/csi_controller_deployment.yaml
@@ -26,6 +26,7 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        readOnlyRootFilesystem: true
         seccompProfile:
           type: RuntimeDefault
       serviceAccount: csi-snapshot-controller
diff --git a/manifests/07_deployment-hypershift.yaml b/manifests/07_deployment-hypershift.yaml
@@ -53,6 +53,8 @@ spec:
         volumeMounts:
         - mountPath: /etc/guest-kubeconfig
           name: guest-kubeconfig
+        - mountPath: /var/run/secrets/serving-cert
+          name: serving-cert
       securityContext:
         runAsNonRoot: true
         seccompProfile:
@@ -62,3 +64,7 @@ spec:
       - name: guest-kubeconfig
         secret:
           secretName: service-network-admin-kubeconfig
+      - name: serving-cert
+        secret:
+          secretName: serving-cert
+          optional: true
diff --git a/manifests/07_deployment.yaml b/manifests/07_deployment.yaml
@@ -31,9 +31,12 @@ spec:
           requests:
             memory: 65Mi
             cpu: 10m
+        volumeMounts:
+        - mountPath: /var/run/secrets/serving-cert
+          name: serving-cert
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - ALL
@@ -54,6 +57,11 @@ spec:
             fieldRef:
               fieldPath: metadata.name
         terminationMessagePolicy: FallbackToLogsOnError
+      volumes:
+      - name: serving-cert
+        secret:
+          secretName: serving-cert
+          optional: true
       priorityClassName: "system-cluster-critical"
       nodeSelector:
         node-role.kubernetes.io/master: ""
@@ -73,3 +81,4 @@ spec:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
+
