openshift
diff --git a/‎assets/csidriveroperators/aws-ebs/base/09_deployment.yaml‎
Lines changed: 17 additions & 0 deletions b/‎assets/csidriveroperators/aws-ebs/base/09_deployment.yaml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/aws-ebs/hypershift/mgmt/deployment.patch.yaml‎
Lines changed: 2 additions & 0 deletions b/‎assets/csidriveroperators/aws-ebs/hypershift/mgmt/deployment.patch.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml‎
Lines changed: 15 additions & 0 deletions b/‎assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/aws-ebs/standalone/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml‎
Lines changed: 17 additions & 0 deletions b/‎assets/csidriveroperators/aws-ebs/standalone/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/azure-disk/base/08_deployment.yaml‎
Lines changed: 17 additions & 0 deletions b/‎assets/csidriveroperators/azure-disk/base/08_deployment.yaml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/azure-disk/hypershift/mgmt/deployment.patch.yaml‎
Lines changed: 5 additions & 0 deletions b/‎assets/csidriveroperators/azure-disk/hypershift/mgmt/deployment.patch.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml‎
Lines changed: 16 additions & 0 deletions b/‎assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/azure-disk/standalone/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml‎
Lines changed: 17 additions & 0 deletions b/‎assets/csidriveroperators/azure-disk/standalone/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎assets/csidriveroperators/azure-file-original/03_sa.yaml‎
Lines changed: 0 additions & 5 deletions b/‎assets/csidriveroperators/azure-file-original/03_sa.yaml‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎assets/csidriveroperators/azure-file-original/04_role.yaml‎
Lines changed: 0 additions & 67 deletions b/‎assets/csidriveroperators/azure-file-original/04_role.yaml‎
Lines changed: 0 additions & 67 deletions
@@ -56,4 +56,21 @@ spec:
             memory: 50Mi
             cpu: 10m
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
       serviceAccountName: aws-ebs-csi-driver-operator
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      volumes:
+      - name: tmp
+        emptyDir:
+          medium: Memory
@@ -50,6 +50,8 @@ spec:
           - mountPath: /var/run/secrets/openshift/serviceaccount
             name: web-identity-token
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: false
       priorityClassName: hypershift-control-plane
       tolerations:
         - key: CriticalAddonsOnly
 
@@ -109,13 +109,25 @@ spec:
           requests:
             cpu: 10m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: false
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/guest-kubeconfig
           name: guest-kubeconfig
         - mountPath: /var/run/secrets/openshift/serviceaccount
           name: web-identity-token
+        - mountPath: /tmp
+          name: tmp
       priorityClassName: hypershift-control-plane
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: aws-ebs-csi-driver-operator
       tolerations:
       - key: CriticalAddonsOnly
@@ -138,3 +150,6 @@ spec:
       - name: guest-kubeconfig
         secret:
           secretName: service-network-admin-kubeconfig
+      - emptyDir:
+          medium: Memory
+        name: tmp
@@ -56,14 +56,31 @@ spec:
           requests:
             cpu: 10m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: aws-ebs-csi-driver-operator
       tolerations:
       - key: CriticalAddonsOnly
         operator: Exists
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
         operator: Exists
+      volumes:
+      - emptyDir:
+          medium: Memory
+        name: tmp
@@ -57,4 +57,21 @@ spec:
             memory: 50Mi
             cpu: 10m
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
       serviceAccountName: azure-disk-csi-driver-operator
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      volumes:
+      - name: tmp
+        emptyDir:
+          medium: Memory
@@ -56,8 +56,13 @@ spec:
         volumeMounts:
           - mountPath: /etc/guest-kubeconfig
             name: guest-kubeconfig
+        securityContext:
+          readOnlyRootFilesystem: false
       priorityClassName: hypershift-control-plane
       volumes:
         - name: guest-kubeconfig
           secret:
             secretName: service-network-admin-kubeconfig
+      securityContext:
+        # Hypershift on AKS does not support SCC and needs a specific user ID
+        runAsUser: 1001
@@ -88,11 +88,24 @@ spec:
           requests:
             cpu: 10m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: false
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/guest-kubeconfig
           name: guest-kubeconfig
+        - mountPath: /tmp
+          name: tmp
       priorityClassName: hypershift-control-plane
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: azure-disk-csi-driver-operator
       tolerations:
       - key: CriticalAddonsOnly
@@ -109,3 +122,6 @@ spec:
       - name: guest-kubeconfig
         secret:
           secretName: service-network-admin-kubeconfig
+      - emptyDir:
+          medium: Memory
+        name: tmp
@@ -56,14 +56,31 @@ spec:
           requests:
             cpu: 10m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: azure-disk-csi-driver-operator
       tolerations:
       - key: CriticalAddonsOnly
         operator: Exists
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
         operator: Exists
+      volumes:
+      - emptyDir:
+          medium: Memory
+        name: tmp