diff --git a/assets/common/readOnlyRootFilesystem.yaml b/assets/common/readOnlyRootFilesystem.yaml new file mode 100644 index 000000000..795f5d31b --- /dev/null +++ b/assets/common/readOnlyRootFilesystem.yaml @@ -0,0 +1,7 @@ +spec: + template: + spec: + containers: + - name: csi-driver + securityContext: + readOnlyRootFilesystem: true \ No newline at end of file diff --git a/assets/common/sidecars/attacher.yaml b/assets/common/sidecars/attacher.yaml index 0892a6a7d..194e755f2 100644 --- a/assets/common/sidecars/attacher.yaml +++ b/assets/common/sidecars/attacher.yaml @@ -5,6 +5,8 @@ spec: spec: containers: - name: csi-attacher + securityContext: + readOnlyRootFilesystem: true image: ${ATTACHER_IMAGE} imagePullPolicy: IfNotPresent args: diff --git a/assets/common/sidecars/controller_driver_kube_rbac_proxy.yaml b/assets/common/sidecars/controller_driver_kube_rbac_proxy.yaml index 29bad8fd6..9ae67b349 100644 --- a/assets/common/sidecars/controller_driver_kube_rbac_proxy.yaml +++ b/assets/common/sidecars/controller_driver_kube_rbac_proxy.yaml @@ -7,6 +7,8 @@ spec: spec: containers: - name: kube-rbac-proxy-${LOCAL_METRICS_PORT} + securityContext: + readOnlyRootFilesystem: true args: - --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT} - --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/ diff --git a/assets/common/sidecars/host_network_livenessprobe.yaml b/assets/common/sidecars/host_network_livenessprobe.yaml index af73046db..1c356d0f2 100644 --- a/assets/common/sidecars/host_network_livenessprobe.yaml +++ b/assets/common/sidecars/host_network_livenessprobe.yaml @@ -4,6 +4,8 @@ spec: spec: containers: - name: csi-liveness-probe + securityContext: + readOnlyRootFilesystem: true image: ${LIVENESS_PROBE_IMAGE} imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError diff --git a/assets/common/sidecars/node_driver_kube_rbac_proxy.yaml b/assets/common/sidecars/node_driver_kube_rbac_proxy.yaml index 97ea506d8..1e9df7051 100644 --- a/assets/common/sidecars/node_driver_kube_rbac_proxy.yaml +++ b/assets/common/sidecars/node_driver_kube_rbac_proxy.yaml @@ -7,6 +7,8 @@ spec: spec: containers: - name: kube-rbac-proxy-${LOCAL_METRICS_PORT} + securityContext: + readOnlyRootFilesystem: true args: - --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT} - --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/ diff --git a/assets/common/sidecars/node_driver_registrar.yaml b/assets/common/sidecars/node_driver_registrar.yaml index a861e9c90..afb59ec92 100644 --- a/assets/common/sidecars/node_driver_registrar.yaml +++ b/assets/common/sidecars/node_driver_registrar.yaml @@ -7,6 +7,7 @@ spec: - name: csi-node-driver-registrar securityContext: privileged: true + readOnlyRootFilesystem: true image: ${NODE_DRIVER_REGISTRAR_IMAGE} imagePullPolicy: IfNotPresent args: diff --git a/assets/common/sidecars/pod_network_livenessprobe.yaml b/assets/common/sidecars/pod_network_livenessprobe.yaml index 228b71fb6..e008daf13 100644 --- a/assets/common/sidecars/pod_network_livenessprobe.yaml +++ b/assets/common/sidecars/pod_network_livenessprobe.yaml @@ -4,6 +4,8 @@ spec: spec: containers: - name: csi-liveness-probe + securityContext: + readOnlyRootFilesystem: true image: ${LIVENESS_PROBE_IMAGE} imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError diff --git a/assets/common/sidecars/provisioner.yaml b/assets/common/sidecars/provisioner.yaml index bb01cd62c..6475cff42 100644 --- a/assets/common/sidecars/provisioner.yaml +++ b/assets/common/sidecars/provisioner.yaml @@ -5,6 +5,8 @@ spec: spec: containers: - name: csi-provisioner + securityContext: + readOnlyRootFilesystem: true image: ${PROVISIONER_IMAGE} imagePullPolicy: IfNotPresent args: diff --git a/assets/common/sidecars/resizer.yaml b/assets/common/sidecars/resizer.yaml index e6118f902..5fa3a1224 100644 --- a/assets/common/sidecars/resizer.yaml +++ b/assets/common/sidecars/resizer.yaml @@ -5,6 +5,8 @@ spec: spec: containers: - name: csi-resizer + securityContext: + readOnlyRootFilesystem: true image: ${RESIZER_IMAGE} imagePullPolicy: IfNotPresent args: diff --git a/assets/common/sidecars/snapshotter.yaml b/assets/common/sidecars/snapshotter.yaml index 2eba9cf41..dc9b203d6 100644 --- a/assets/common/sidecars/snapshotter.yaml +++ b/assets/common/sidecars/snapshotter.yaml @@ -5,6 +5,8 @@ spec: spec: containers: - name: csi-snapshotter + securityContext: + readOnlyRootFilesystem: true image: ${SNAPSHOTTER_IMAGE} imagePullPolicy: IfNotPresent args: diff --git a/assets/overlays/aws-ebs/generated/hypershift/controller.yaml b/assets/overlays/aws-ebs/generated/hypershift/controller.yaml index 6108b7d9c..88fa6d57c 100644 --- a/assets/overlays/aws-ebs/generated/hypershift/controller.yaml +++ b/assets/overlays/aws-ebs/generated/hypershift/controller.yaml @@ -24,6 +24,7 @@ # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/hypershift/controller_add_affinity_tolerations.yaml # Applied JSON patch common/hypershift/controller_add_kubeconfig_volume.yaml.patch +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied strategic merge patch overlays/aws-ebs/patches/controller_add_hypershift_controller_minter.yaml # # @@ -127,6 +128,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/aws/keys @@ -159,6 +162,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -190,6 +195,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -244,6 +251,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -298,6 +307,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -352,6 +363,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -395,6 +408,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/aws-ebs/generated/hypershift/node.yaml b/assets/overlays/aws-ebs/generated/hypershift/node.yaml index 3e7ca44f4..18e1013a8 100644 --- a/assets/overlays/aws-ebs/generated/hypershift/node.yaml +++ b/assets/overlays/aws-ebs/generated/hypershift/node.yaml @@ -7,6 +7,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -62,6 +63,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/kubelet @@ -110,6 +112,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -129,6 +132,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/aws-ebs/generated/standalone/controller.yaml b/assets/overlays/aws-ebs/generated/standalone/controller.yaml index f2808d75c..b34bd2df6 100644 --- a/assets/overlays/aws-ebs/generated/standalone/controller.yaml +++ b/assets/overlays/aws-ebs/generated/standalone/controller.yaml @@ -19,6 +19,7 @@ # pod_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/standalone/controller_add_affinity.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -96,6 +97,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/aws/keys @@ -128,6 +131,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -156,6 +161,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -204,6 +211,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -252,6 +261,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -300,6 +311,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -340,6 +353,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/aws-ebs/generated/standalone/node.yaml b/assets/overlays/aws-ebs/generated/standalone/node.yaml index 3e7ca44f4..18e1013a8 100644 --- a/assets/overlays/aws-ebs/generated/standalone/node.yaml +++ b/assets/overlays/aws-ebs/generated/standalone/node.yaml @@ -7,6 +7,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -62,6 +63,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/kubelet @@ -110,6 +112,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -129,6 +132,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/aws-efs/generated/standalone/controller.yaml b/assets/overlays/aws-efs/generated/standalone/controller.yaml index 10f478384..4c6e43090 100644 --- a/assets/overlays/aws-efs/generated/standalone/controller.yaml +++ b/assets/overlays/aws-efs/generated/standalone/controller.yaml @@ -118,6 +118,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -160,6 +161,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/aws-efs/generated/standalone/node.yaml b/assets/overlays/aws-efs/generated/standalone/node.yaml index 02e6de93d..c6a400982 100644 --- a/assets/overlays/aws-efs/generated/standalone/node.yaml +++ b/assets/overlays/aws-efs/generated/standalone/node.yaml @@ -7,6 +7,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -65,6 +66,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/kubelet @@ -123,6 +125,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -142,6 +145,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-disk/generated/hypershift/controller.yaml b/assets/overlays/azure-disk/generated/hypershift/controller.yaml index 9d3aaf3df..fad763fbe 100644 --- a/assets/overlays/azure-disk/generated/hypershift/controller.yaml +++ b/assets/overlays/azure-disk/generated/hypershift/controller.yaml @@ -24,6 +24,7 @@ # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/hypershift/controller_add_affinity_tolerations.yaml # Applied JSON patch common/hypershift/controller_add_kubeconfig_volume.yaml.patch +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied strategic merge patch overlays/azure-disk/patches/controller_add_hypershift_controller.yaml # # @@ -124,6 +125,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -153,6 +156,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -185,6 +190,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -239,6 +246,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -291,6 +300,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -342,6 +353,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -385,6 +398,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-disk/generated/hypershift/node.yaml b/assets/overlays/azure-disk/generated/hypershift/node.yaml index 7c70bcd69..9dca9405d 100644 --- a/assets/overlays/azure-disk/generated/hypershift/node.yaml +++ b/assets/overlays/azure-disk/generated/hypershift/node.yaml @@ -8,6 +8,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -74,6 +75,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -113,6 +115,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -152,6 +156,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -171,6 +176,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-disk/generated/standalone/controller.yaml b/assets/overlays/azure-disk/generated/standalone/controller.yaml index 1d44c8c41..4da258cb2 100644 --- a/assets/overlays/azure-disk/generated/standalone/controller.yaml +++ b/assets/overlays/azure-disk/generated/standalone/controller.yaml @@ -19,6 +19,7 @@ # pod_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/standalone/controller_add_affinity.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied strategic merge patch overlays/azure-disk/patches/controller_add_standalone_injector.yaml # # @@ -94,6 +95,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -123,6 +126,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -152,6 +157,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -200,6 +207,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -246,6 +255,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -291,6 +302,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -331,6 +344,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-disk/generated/standalone/node.yaml b/assets/overlays/azure-disk/generated/standalone/node.yaml index 7c70bcd69..9dca9405d 100644 --- a/assets/overlays/azure-disk/generated/standalone/node.yaml +++ b/assets/overlays/azure-disk/generated/standalone/node.yaml @@ -8,6 +8,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -74,6 +75,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -113,6 +115,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -152,6 +156,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -171,6 +176,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-file/generated/hypershift/controller.yaml b/assets/overlays/azure-file/generated/hypershift/controller.yaml index 5da02b8a8..1652e3ee7 100644 --- a/assets/overlays/azure-file/generated/hypershift/controller.yaml +++ b/assets/overlays/azure-file/generated/hypershift/controller.yaml @@ -24,6 +24,7 @@ # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/hypershift/controller_add_affinity_tolerations.yaml # Applied JSON patch common/hypershift/controller_add_kubeconfig_volume.yaml.patch +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied JSON patch common/hypershift/sidecar_add_kubeconfig.yaml.patch # Applied strategic merge patch overlays/azure-file/patches/controller_add_hypershift_controller.yaml # @@ -134,6 +135,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -166,6 +169,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -194,6 +199,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -245,6 +252,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -297,6 +306,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -348,6 +359,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -391,6 +404,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-file/generated/hypershift/node.yaml b/assets/overlays/azure-file/generated/hypershift/node.yaml index 8630617cd..c1fd7be26 100644 --- a/assets/overlays/azure-file/generated/hypershift/node.yaml +++ b/assets/overlays/azure-file/generated/hypershift/node.yaml @@ -7,6 +7,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -72,6 +73,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -130,6 +132,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -149,6 +152,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-file/generated/standalone/controller.yaml b/assets/overlays/azure-file/generated/standalone/controller.yaml index 63c9cb98c..c70e4c814 100644 --- a/assets/overlays/azure-file/generated/standalone/controller.yaml +++ b/assets/overlays/azure-file/generated/standalone/controller.yaml @@ -19,6 +19,7 @@ # pod_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/standalone/controller_add_affinity.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied strategic merge patch overlays/azure-file/patches/controller_add_standalone_injector.yaml # # @@ -100,6 +101,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -129,6 +132,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -154,6 +159,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -199,6 +206,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -245,6 +254,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -290,6 +301,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -330,6 +343,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/azure-file/generated/standalone/node.yaml b/assets/overlays/azure-file/generated/standalone/node.yaml index 8630617cd..c1fd7be26 100644 --- a/assets/overlays/azure-file/generated/standalone/node.yaml +++ b/assets/overlays/azure-file/generated/standalone/node.yaml @@ -7,6 +7,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -72,6 +73,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -130,6 +132,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -149,6 +152,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml b/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml index 2c9338b2d..236c51aea 100644 --- a/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml +++ b/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml @@ -22,6 +22,7 @@ # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/hypershift/controller_add_affinity_tolerations.yaml # Applied JSON patch common/hypershift/controller_add_kubeconfig_volume.yaml.patch +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied strategic merge patch overlays/openstack-cinder/patches/controller_add_hypershift_volumes.yaml # # @@ -130,6 +131,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config @@ -161,6 +164,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -187,6 +192,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -238,6 +245,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -288,6 +297,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -338,6 +349,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -381,6 +394,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-cinder/generated/hypershift/node.yaml b/assets/overlays/openstack-cinder/generated/hypershift/node.yaml index 6a56f8646..e3809aeb7 100644 --- a/assets/overlays/openstack-cinder/generated/hypershift/node.yaml +++ b/assets/overlays/openstack-cinder/generated/hypershift/node.yaml @@ -7,6 +7,7 @@ # Applied strategic merge patch host_network_livenessprobe.yaml # node_driver_registrar.yaml: Loaded from common/sidecars/node_driver_registrar.yaml # Applied strategic merge patch node_driver_registrar.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -76,6 +77,7 @@ spec: add: - SYS_ADMIN privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/kubelet @@ -111,6 +113,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -150,6 +154,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-cinder/generated/standalone/controller.yaml b/assets/overlays/openstack-cinder/generated/standalone/controller.yaml index 19c739816..4b5d0b812 100644 --- a/assets/overlays/openstack-cinder/generated/standalone/controller.yaml +++ b/assets/overlays/openstack-cinder/generated/standalone/controller.yaml @@ -17,6 +17,7 @@ # pod_network_livenessprobe.yaml: Added arguments [--probe-timeout=10s] # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/standalone/controller_add_affinity.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -99,6 +100,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config @@ -130,6 +133,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -153,6 +158,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -198,6 +205,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -242,6 +251,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -286,6 +297,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -326,6 +339,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-cinder/generated/standalone/node.yaml b/assets/overlays/openstack-cinder/generated/standalone/node.yaml index 6a56f8646..e3809aeb7 100644 --- a/assets/overlays/openstack-cinder/generated/standalone/node.yaml +++ b/assets/overlays/openstack-cinder/generated/standalone/node.yaml @@ -7,6 +7,7 @@ # Applied strategic merge patch host_network_livenessprobe.yaml # node_driver_registrar.yaml: Loaded from common/sidecars/node_driver_registrar.yaml # Applied strategic merge patch node_driver_registrar.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -76,6 +77,7 @@ spec: add: - SYS_ADMIN privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/kubelet @@ -111,6 +113,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -150,6 +154,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-manila/generated/hypershift/controller.yaml b/assets/overlays/openstack-manila/generated/hypershift/controller.yaml index febff678b..c23726a25 100644 --- a/assets/overlays/openstack-manila/generated/hypershift/controller.yaml +++ b/assets/overlays/openstack-manila/generated/hypershift/controller.yaml @@ -18,6 +18,7 @@ # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/hypershift/controller_add_affinity_tolerations.yaml # Applied JSON patch common/hypershift/controller_add_kubeconfig_volume.yaml.patch +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied strategic merge patch overlays/openstack-manila/patches/controller_add_hypershift_volumes.yaml # Applied strategic merge patch overlays/openstack-manila/patches/controller_rename_config_map.yaml # Applied strategic merge patch overlays/openstack-manila/patches/modify_anti_affinity_selector.yaml @@ -134,6 +135,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /plugin @@ -182,6 +185,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -234,6 +239,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -284,6 +291,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -327,6 +336,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-manila/generated/hypershift/node.yaml b/assets/overlays/openstack-manila/generated/hypershift/node.yaml index dc7fdbf09..4d75663e0 100644 --- a/assets/overlays/openstack-manila/generated/hypershift/node.yaml +++ b/assets/overlays/openstack-manila/generated/hypershift/node.yaml @@ -7,6 +7,7 @@ # Applied strategic merge patch host_network_livenessprobe.yaml # node_driver_registrar.yaml: Loaded from common/sidecars/node_driver_registrar.yaml # Applied strategic merge patch node_driver_registrar.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -78,6 +79,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org @@ -103,6 +105,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -142,6 +146,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-manila/generated/standalone/controller.yaml b/assets/overlays/openstack-manila/generated/standalone/controller.yaml index a070905a5..4ee32b697 100644 --- a/assets/overlays/openstack-manila/generated/standalone/controller.yaml +++ b/assets/overlays/openstack-manila/generated/standalone/controller.yaml @@ -14,6 +14,7 @@ # pod_network_livenessprobe.yaml: Added arguments [--probe-timeout=10s] # Applied strategic merge patch pod_network_livenessprobe.yaml # Applied strategic merge patch common/standalone/controller_add_affinity.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # Applied strategic merge patch overlays/openstack-manila/patches/modify_anti_affinity_selector.yaml # # @@ -103,6 +104,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /plugin @@ -148,6 +151,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -194,6 +199,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -238,6 +245,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -278,6 +287,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/openstack-manila/generated/standalone/node.yaml b/assets/overlays/openstack-manila/generated/standalone/node.yaml index dc7fdbf09..4d75663e0 100644 --- a/assets/overlays/openstack-manila/generated/standalone/node.yaml +++ b/assets/overlays/openstack-manila/generated/standalone/node.yaml @@ -7,6 +7,7 @@ # Applied strategic merge patch host_network_livenessprobe.yaml # node_driver_registrar.yaml: Loaded from common/sidecars/node_driver_registrar.yaml # Applied strategic merge patch node_driver_registrar.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -78,6 +79,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org @@ -103,6 +105,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -142,6 +146,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/samba/generated/standalone/controller.yaml b/assets/overlays/samba/generated/standalone/controller.yaml index 17dd27a06..868be41e7 100644 --- a/assets/overlays/samba/generated/standalone/controller.yaml +++ b/assets/overlays/samba/generated/standalone/controller.yaml @@ -83,6 +83,7 @@ spec: memory: 20Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -106,6 +107,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -128,6 +131,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -174,6 +179,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ @@ -214,6 +221,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/samba/generated/standalone/node.yaml b/assets/overlays/samba/generated/standalone/node.yaml index 172de1f45..9ffb65b9a 100644 --- a/assets/overlays/samba/generated/standalone/node.yaml +++ b/assets/overlays/samba/generated/standalone/node.yaml @@ -7,6 +7,7 @@ # host_network_livenessprobe.yaml: Loaded from common/sidecars/host_network_livenessprobe.yaml # host_network_livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch host_network_livenessprobe.yaml +# Applied strategic merge patch common/readOnlyRootFilesystem.yaml # # @@ -65,6 +66,7 @@ spec: memory: 20Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -107,6 +109,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi @@ -126,6 +129,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /csi diff --git a/assets/overlays/samba/patches/controller_add_driver.yaml b/assets/overlays/samba/patches/controller_add_driver.yaml index 1ce09ce17..f2cebff3e 100644 --- a/assets/overlays/samba/patches/controller_add_driver.yaml +++ b/assets/overlays/samba/patches/controller_add_driver.yaml @@ -35,6 +35,7 @@ spec: - name: CSI_ENDPOINT value: unix:///csi/csi.sock securityContext: + readOnlyRootFilesystem: true privileged: true volumeMounts: - mountPath: /csi diff --git a/assets/overlays/samba/patches/node_add_driver.yaml b/assets/overlays/samba/patches/node_add_driver.yaml index fa25051e1..40e4195cd 100644 --- a/assets/overlays/samba/patches/node_add_driver.yaml +++ b/assets/overlays/samba/patches/node_add_driver.yaml @@ -35,6 +35,7 @@ spec: apiVersion: v1 fieldPath: spec.nodeName securityContext: + readOnlyRootFilesystem: true privileged: true volumeMounts: - mountPath: /csi diff --git a/pkg/driver/aws-ebs/aws_ebs.go b/pkg/driver/aws-ebs/aws_ebs.go index 2e2e6a6b7..f53f3127e 100644 --- a/pkg/driver/aws-ebs/aws_ebs.go +++ b/pkg/driver/aws-ebs/aws_ebs.go @@ -126,6 +126,7 @@ func GetAWSEBSGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/aws-ebs/base/storageclass_gp3.yaml", "overlays/aws-ebs/base/volumesnapshotclass.yaml", ), + AssetPatches: commongenerator.DefaultGuestAssetPatches, }, } } diff --git a/pkg/driver/aws-efs/aws_efs.go b/pkg/driver/aws-efs/aws_efs.go index 1ba227dec..cc76464ba 100644 --- a/pkg/driver/aws-efs/aws_efs.go +++ b/pkg/driver/aws-efs/aws_efs.go @@ -81,7 +81,7 @@ func GetAWSEFSGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/aws-efs/base/csidriver.yaml", "overlays/aws-efs/base/credentials-node.yaml", ), - AssetPatches: generator.NewAssetPatches(generator.StandaloneOnly, + AssetPatches: commongenerator.DefaultGuestAssetPatches.WithPatches(generator.StandaloneOnly, // Any role or cluster role bindings should not hardcode service account namespace because this operator is OLM based and can be installed into a custom namespace. "main_provisioner_binding.yaml", "overlays/aws-efs/patches/binding_with_namespace_placeholder.yaml", "lease_leader_election_binding.yaml", "overlays/aws-efs/patches/binding_with_namespace_placeholder.yaml", diff --git a/pkg/driver/azure-disk/azure_disk.go b/pkg/driver/azure-disk/azure_disk.go index 46b89febc..b0d03fb51 100644 --- a/pkg/driver/azure-disk/azure_disk.go +++ b/pkg/driver/azure-disk/azure_disk.go @@ -144,6 +144,7 @@ func GetAzureDiskGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/azure-disk/base/storageclass.yaml", "overlays/azure-disk/base/volumesnapshotclass.yaml", ), + AssetPatches: commongenerator.DefaultGuestAssetPatches, }, } } diff --git a/pkg/driver/azure-file/azure_file.go b/pkg/driver/azure-file/azure_file.go index 183e106ac..8813cd6e2 100644 --- a/pkg/driver/azure-file/azure_file.go +++ b/pkg/driver/azure-file/azure_file.go @@ -118,6 +118,7 @@ func GetAzureFileGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/azure-file/base/csi-driver-cluster-role-binding.yaml", "overlays/azure-file/base/volumesnapshotclass.yaml", ), + AssetPatches: commongenerator.DefaultGuestAssetPatches, }, } } diff --git a/pkg/driver/common/generator/base_assets.go b/pkg/driver/common/generator/base_assets.go index f8eedcd18..5dc48d775 100644 --- a/pkg/driver/common/generator/base_assets.go +++ b/pkg/driver/common/generator/base_assets.go @@ -45,6 +45,12 @@ var ( "controller_sa.yaml", "common/hypershift/controller_sa_pull_secret.yaml", "controller.yaml", "common/hypershift/controller_add_affinity_tolerations.yaml", "controller.yaml", "common/hypershift/controller_add_kubeconfig_volume.yaml.patch", + ).WithPatches(generator.AllFlavours, + "controller.yaml", "common/readOnlyRootFilesystem.yaml", + ) + + DefaultGuestAssetPatches = generator.NewAssetPatches(generator.AllFlavours, + "node.yaml", "common/readOnlyRootFilesystem.yaml", ) ) diff --git a/pkg/driver/openstack-cinder/openstack_cinder.go b/pkg/driver/openstack-cinder/openstack_cinder.go index 81bdd8126..f7abfe9f6 100644 --- a/pkg/driver/openstack-cinder/openstack_cinder.go +++ b/pkg/driver/openstack-cinder/openstack_cinder.go @@ -87,6 +87,7 @@ func GetOpenStackCinderGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/openstack-cinder/base/storageclass.yaml", "overlays/openstack-cinder/base/volumesnapshotclass.yaml", ), + AssetPatches: commongenerator.DefaultGuestAssetPatches, }, } } diff --git a/pkg/driver/openstack-manila/openstack_manila.go b/pkg/driver/openstack-manila/openstack_manila.go index 40fa1ef98..6610f6e60 100644 --- a/pkg/driver/openstack-manila/openstack_manila.go +++ b/pkg/driver/openstack-manila/openstack_manila.go @@ -99,6 +99,7 @@ func GetOpenStackManilaGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/openstack-manila/base/volumesnapshotclass.yaml", "overlays/openstack-manila/base/node_nfs.yaml", ), + AssetPatches: commongenerator.DefaultGuestAssetPatches, }, } } diff --git a/pkg/driver/samba/samba.go b/pkg/driver/samba/samba.go index a8d9e0ee2..bed76739b 100644 --- a/pkg/driver/samba/samba.go +++ b/pkg/driver/samba/samba.go @@ -83,7 +83,7 @@ func GetSambaGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/samba/base/csi-driver-cluster-role.yaml", "overlays/samba/base/csi-driver-cluster-role-binding.yaml", ), - AssetPatches: generator.NewAssetPatches(generator.StandaloneOnly, + AssetPatches: commongenerator.DefaultGuestAssetPatches.WithPatches(generator.StandaloneOnly, // Any role or cluster role bindings should not hardcode service account namespace because this operator is OLM based and can be installed into a custom namespace. "main_provisioner_binding.yaml", "overlays/samba/patches/binding_with_namespace_placeholder_controller.yaml", "lease_leader_election_binding.yaml", "overlays/samba/patches/binding_with_namespace_placeholder_controller.yaml",