From ce97bbe7cd82e6a6204450c1b547819ed7d921db Mon Sep 17 00:00:00 2001 From: John Kyros Date: Mon, 12 Aug 2024 11:59:59 -0500 Subject: [PATCH] Set root file system to read-only to match operand The operand's root is set to read only, but the operator isn't, which is causing things like the trivvy scanner to complain about it as "severity high" misconfiguration. This just changes the readOnlyRootFilesystem setting to true in the pod templates (both the raw manifests and the CSV) to alleviate any possible security issue the writeable root fs may cause. It should have no impact whatsoever on the operation of the operator. Signed-off-by: John Kyros --- bundle/manifests/keda.clusterserviceversion.yaml | 3 ++- config/manager/manager.yaml | 1 + config/manifests/bases/keda.clusterserviceversion.yaml | 1 + keda/2.14.1/manifests/keda.v2.14.1.clusterserviceversion.yaml | 1 + keda/2.15.0/manifests/keda.v2.15.0.clusterserviceversion.yaml | 1 + 5 files changed, 6 insertions(+), 1 deletion(-) diff --git a/bundle/manifests/keda.clusterserviceversion.yaml b/bundle/manifests/keda.clusterserviceversion.yaml index 253d1d77e..695b0355e 100644 --- a/bundle/manifests/keda.clusterserviceversion.yaml +++ b/bundle/manifests/keda.clusterserviceversion.yaml @@ -138,7 +138,7 @@ metadata: categories: Cloud Provider certified: "false" containerImage: ghcr.io/kedacore/keda-olm-operator:2.15.0 - createdAt: "2024-08-09T21:40:07Z" + createdAt: "2024-08-12T20:57:13Z" description: Operator that provides KEDA, a Kubernetes-based event driver autoscaler operatorframework.io/suggested-namespace: keda operators.operatorframework.io/builder: operator-sdk-v1.31.0 @@ -655,6 +655,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true volumeMounts: - mountPath: /certs name: certificates diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 1d9e4bd73..28c7cfbcb 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -36,6 +36,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true ports: - containerPort: 8080 name: http diff --git a/config/manifests/bases/keda.clusterserviceversion.yaml b/config/manifests/bases/keda.clusterserviceversion.yaml index 38d40bdf3..b2ee01a69 100644 --- a/config/manifests/bases/keda.clusterserviceversion.yaml +++ b/config/manifests/bases/keda.clusterserviceversion.yaml @@ -652,6 +652,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true volumeMounts: - mountPath: /certs name: certificates diff --git a/keda/2.14.1/manifests/keda.v2.14.1.clusterserviceversion.yaml b/keda/2.14.1/manifests/keda.v2.14.1.clusterserviceversion.yaml index e96adf3c9..85e5c1d39 100644 --- a/keda/2.14.1/manifests/keda.v2.14.1.clusterserviceversion.yaml +++ b/keda/2.14.1/manifests/keda.v2.14.1.clusterserviceversion.yaml @@ -630,6 +630,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true volumeMounts: - mountPath: /certs name: certificates diff --git a/keda/2.15.0/manifests/keda.v2.15.0.clusterserviceversion.yaml b/keda/2.15.0/manifests/keda.v2.15.0.clusterserviceversion.yaml index 84c1fb08b..fa5d99191 100644 --- a/keda/2.15.0/manifests/keda.v2.15.0.clusterserviceversion.yaml +++ b/keda/2.15.0/manifests/keda.v2.15.0.clusterserviceversion.yaml @@ -652,6 +652,7 @@ spec: capabilities: drop: - ALL + readOnlyRootFilesystem: true volumeMounts: - mountPath: /certs name: certificates