OTA-1480: Add readonlyRootFilesystem

[dusk125]

No description provided.

[openshift-ci-robot]

@dusk125: This pull request references OTA-1480 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/retest-required

[jacobsee]

/lgtm

[dusk125]

/assign @DavidHurta

[petr-muller]

Should the init containers (L236-L262) have this too? If not, can the commit + pr description contain reasoning for that?.

Or even better, change the setContainerDefaults to default to true so that the right thing is default and whatever needs a false would need to override?

[dusk125]

Yeah it wouldn't hurt to have everything as read only and only turn off what explicitly needs it.

[dusk125]

So looks like the init containers (specifically move-operator-manifests-to-temporary-directory, move-release-manifests-to-temporary-directory) do need to write to the filesystem as they do a file move on the /manifests and /release-manifests directories.

The destination is a volume mount so there's no issue there, but since they're moving the filesystem, they can't delete the files in the source directories as those are built into the container image.

[dusk125]

So I'm thinking I either remove the read only filesystem from those init containers or I change them to copy instead of move and leave read only enabled on all. Do you have a preference @petr-muller ?

[petr-muller]

Thanks!

[jacobsee]

/retest-required

[jacobsee]

/retest-required

[ShazaAldawamneh]

/retest-required

[gangwgr]

/qe-approved

[gangwgr]

/label qe-approved

[jiajliu]

/label qe-approved

/label qe-approved

[openshift-ci-robot]

@dusk125: This pull request references OTA-1480 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/hold
for questions to Petr

[dusk125]

@petr-muller if you have a chance to review again, please see my comments about the "move" containers.

[dusk125]

/retest

[hongkailiu]

/retest

[dusk125]

/retest

[dusk125]

/test e2e-agnostic-operator-devpreview

[dusk125]

/hold cancel

[wking]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dusk125, jacobsee, petr-muller, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [petr-muller,wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@dusk125: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-operator-devpreview	4e5f950	link	false	/test e2e-agnostic-operator-devpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: cluster-version-operator
This PR has been included in build cluster-version-operator-container-v4.20.0-202507310219.p0.ga7d6e43.assembly.stream.el9.
All builds following this will include this PR.