Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

STOR-2126: Enable readOnlyFileSystem #229

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+28 −2
Open

STOR-2126: Enable readOnlyFileSystem #229

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# csi-snapshot-controller-operator

The CSI snapshot controller operator is an
[OpenShift ClusterOperator](https://github.com/openshift/enhancements/blob/master/enhancements/dev-guide/operators.md#what-is-an-openshift-clusteroperator).
[OpenShift ClusterOperator](https://github.com/openshift/enhancements/blob/master/dev-guide/operators.md#what-is-an-openshift-clusteroperator).
It installs and maintains the CSI Snapshot Controller, which is responsible for watching the VolumeSnapshot CRD objects and manages the creation and deletion lifecycle of volume snapshots.
10 changes: 9 additions & 1 deletion manifests/07_deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -31,9 +31,12 @@ spec:
requests:
memory: 65Mi
cpu: 10m
volumeMounts:
- mountPath: /var/run/secrets/serving-cert
name: serving-cert
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
@@ -54,6 +57,11 @@ spec:
fieldRef:
fieldPath: metadata.name
terminationMessagePolicy: FallbackToLogsOnError
volumes:
- name: serving-cert
secret:
secretName: serving-cert
optional: true
priorityClassName: "system-cluster-critical"
nodeSelector:
node-role.kubernetes.io/master: ""
6 changes: 6 additions & 0 deletions profile-patches/hypershift/07_deployment.yaml-patch
View file
Original file line number Diff line number Diff line change
@@ -19,6 +19,12 @@
- op: remove
path: /spec/template/spec/priorityClassName

# Remove changes for readOnlyRootFilesystem
- op: replace
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value:
false

# Add guest-kubeconfig volume
- op: add
path: /spec/template/spec/volumes
12 changes: 12 additions & 0 deletions profile-patches/ibm-cloud-managed/07_deployment.yaml-patch
View file
Original file line number Diff line number Diff line change
@@ -6,3 +6,15 @@
capability.openshift.io/name: CSISnapshot
- op: remove
path: /spec/template/spec/nodeSelector

# Remove serving-cert volume
- op: remove
path: /spec/template/spec/containers/0/volumeMounts
- op: remove
path: /spec/template/spec/volumes

# Remove changes for readOnlyRootFilesystem
- op: replace
path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
value:
false