diff --git a/assets/common/sidecars/attacher.yaml b/assets/common/sidecars/attacher.yaml index 194e755f2..063e2474c 100644 --- a/assets/common/sidecars/attacher.yaml +++ b/assets/common/sidecars/attacher.yaml @@ -29,6 +29,8 @@ spec: cpu: 10m terminationMessagePolicy: FallbackToLogsOnError - name: attacher-kube-rbac-proxy + securityContext: + readOnlyRootFilesystem: true args: - --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT} - --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/ diff --git a/assets/common/sidecars/provisioner.yaml b/assets/common/sidecars/provisioner.yaml index 6475cff42..84842d9cf 100644 --- a/assets/common/sidecars/provisioner.yaml +++ b/assets/common/sidecars/provisioner.yaml @@ -29,6 +29,8 @@ spec: cpu: 10m terminationMessagePolicy: FallbackToLogsOnError - name: provisioner-kube-rbac-proxy + securityContext: + readOnlyRootFilesystem: true args: - --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT} - --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/ diff --git a/assets/common/sidecars/resizer.yaml b/assets/common/sidecars/resizer.yaml index 5fa3a1224..da91440f3 100644 --- a/assets/common/sidecars/resizer.yaml +++ b/assets/common/sidecars/resizer.yaml @@ -29,6 +29,8 @@ spec: cpu: 10m terminationMessagePolicy: FallbackToLogsOnError - name: resizer-kube-rbac-proxy + securityContext: + readOnlyRootFilesystem: true args: - --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT} - --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/ diff --git a/assets/common/sidecars/snapshotter.yaml b/assets/common/sidecars/snapshotter.yaml index dc9b203d6..9e0cbe169 100644 --- a/assets/common/sidecars/snapshotter.yaml +++ b/assets/common/sidecars/snapshotter.yaml @@ -29,6 +29,8 @@ spec: cpu: 10m terminationMessagePolicy: FallbackToLogsOnError - name: snapshotter-kube-rbac-proxy + securityContext: + readOnlyRootFilesystem: true args: - --secure-listen-address=0.0.0.0:${EXPOSED_METRICS_PORT} - --upstream=http://127.0.0.1:${LOCAL_METRICS_PORT}/ diff --git a/assets/overlays/aws-ebs/generated/hypershift/controller.yaml b/assets/overlays/aws-ebs/generated/hypershift/controller.yaml index 771ec4155..638e58762 100644 --- a/assets/overlays/aws-ebs/generated/hypershift/controller.yaml +++ b/assets/overlays/aws-ebs/generated/hypershift/controller.yaml @@ -226,6 +226,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -282,6 +284,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -338,6 +342,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -394,6 +400,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -433,6 +441,8 @@ spec: requests: cpu: 10m memory: 10Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount diff --git a/assets/overlays/aws-ebs/generated/standalone/controller.yaml b/assets/overlays/aws-ebs/generated/standalone/controller.yaml index b34bd2df6..b52e1d551 100644 --- a/assets/overlays/aws-ebs/generated/standalone/controller.yaml +++ b/assets/overlays/aws-ebs/generated/standalone/controller.yaml @@ -186,6 +186,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -236,6 +238,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -286,6 +290,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -336,6 +342,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/aws-ebs/patches/controller_add_hypershift_controller_minter.yaml b/assets/overlays/aws-ebs/patches/controller_add_hypershift_controller_minter.yaml index 5d6da65ce..e2d5e3478 100644 --- a/assets/overlays/aws-ebs/patches/controller_add_hypershift_controller_minter.yaml +++ b/assets/overlays/aws-ebs/patches/controller_add_hypershift_controller_minter.yaml @@ -6,6 +6,8 @@ spec: - name: csi-driver - name: token-minter + securityContext: + readOnlyRootFilesystem: true args: - --service-account-namespace=openshift-cluster-csi-drivers - --service-account-name=aws-ebs-csi-driver-controller-sa diff --git a/assets/overlays/aws-efs/generated/standalone/controller.yaml b/assets/overlays/aws-efs/generated/standalone/controller.yaml index fd8eca5b5..eb6308617 100644 --- a/assets/overlays/aws-efs/generated/standalone/controller.yaml +++ b/assets/overlays/aws-efs/generated/standalone/controller.yaml @@ -145,6 +145,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/azure-disk/generated/hypershift/controller.yaml b/assets/overlays/azure-disk/generated/hypershift/controller.yaml index 66c8d1bbb..8439e2a42 100644 --- a/assets/overlays/azure-disk/generated/hypershift/controller.yaml +++ b/assets/overlays/azure-disk/generated/hypershift/controller.yaml @@ -221,6 +221,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -277,6 +279,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -331,6 +335,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -384,6 +390,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/azure-disk/generated/standalone/controller.yaml b/assets/overlays/azure-disk/generated/standalone/controller.yaml index 4da258cb2..4ec37731c 100644 --- a/assets/overlays/azure-disk/generated/standalone/controller.yaml +++ b/assets/overlays/azure-disk/generated/standalone/controller.yaml @@ -182,6 +182,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -232,6 +234,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -280,6 +284,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -327,6 +333,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/azure-file/generated/hypershift/controller.yaml b/assets/overlays/azure-file/generated/hypershift/controller.yaml index 20090fc5d..dd681bbf2 100644 --- a/assets/overlays/azure-file/generated/hypershift/controller.yaml +++ b/assets/overlays/azure-file/generated/hypershift/controller.yaml @@ -232,6 +232,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -285,6 +287,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -339,6 +343,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -392,6 +398,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/azure-file/generated/standalone/controller.yaml b/assets/overlays/azure-file/generated/standalone/controller.yaml index e6aec7062..94104a379 100644 --- a/assets/overlays/azure-file/generated/standalone/controller.yaml +++ b/assets/overlays/azure-file/generated/standalone/controller.yaml @@ -186,6 +186,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -233,6 +235,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -281,6 +285,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -328,6 +334,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml b/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml index 5469d033a..5a8968a0a 100644 --- a/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml +++ b/assets/overlays/openstack-cinder/generated/hypershift/controller.yaml @@ -223,6 +223,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -276,6 +278,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -328,6 +332,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -380,6 +386,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/openstack-cinder/generated/standalone/controller.yaml b/assets/overlays/openstack-cinder/generated/standalone/controller.yaml index 4b5d0b812..983573f3d 100644 --- a/assets/overlays/openstack-cinder/generated/standalone/controller.yaml +++ b/assets/overlays/openstack-cinder/generated/standalone/controller.yaml @@ -183,6 +183,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -230,6 +232,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -276,6 +280,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -322,6 +328,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/openstack-manila/base/node_nfs.yaml b/assets/overlays/openstack-manila/base/node_nfs.yaml index 2b0caad38..cacaedf61 100644 --- a/assets/overlays/openstack-manila/base/node_nfs.yaml +++ b/assets/overlays/openstack-manila/base/node_nfs.yaml @@ -31,6 +31,7 @@ spec: - name: csi-driver securityContext: privileged: true + readOnlyRootFilesystem: true image: ${NFS_DRIVER_IMAGE} resources: requests: diff --git a/assets/overlays/openstack-manila/generated/hypershift/controller.yaml b/assets/overlays/openstack-manila/generated/hypershift/controller.yaml index 7ab727ad2..f48440702 100644 --- a/assets/overlays/openstack-manila/generated/hypershift/controller.yaml +++ b/assets/overlays/openstack-manila/generated/hypershift/controller.yaml @@ -162,6 +162,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /plugin @@ -216,6 +218,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -270,6 +274,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -322,6 +328,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/openstack-manila/generated/hypershift/node_nfs.yaml b/assets/overlays/openstack-manila/generated/hypershift/node_nfs.yaml index 4678a1ba2..8368633a0 100644 --- a/assets/overlays/openstack-manila/generated/hypershift/node_nfs.yaml +++ b/assets/overlays/openstack-manila/generated/hypershift/node_nfs.yaml @@ -42,6 +42,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /plugin diff --git a/assets/overlays/openstack-manila/generated/standalone/controller.yaml b/assets/overlays/openstack-manila/generated/standalone/controller.yaml index 4ee32b697..18fc03f5f 100644 --- a/assets/overlays/openstack-manila/generated/standalone/controller.yaml +++ b/assets/overlays/openstack-manila/generated/standalone/controller.yaml @@ -128,6 +128,8 @@ spec: requests: cpu: 10m memory: 50Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /plugin @@ -176,6 +178,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -224,6 +228,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -270,6 +276,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private diff --git a/assets/overlays/openstack-manila/generated/standalone/node_nfs.yaml b/assets/overlays/openstack-manila/generated/standalone/node_nfs.yaml index 4678a1ba2..8368633a0 100644 --- a/assets/overlays/openstack-manila/generated/standalone/node_nfs.yaml +++ b/assets/overlays/openstack-manila/generated/standalone/node_nfs.yaml @@ -42,6 +42,7 @@ spec: memory: 50Mi securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /plugin diff --git a/assets/overlays/openstack-manila/patches/controller_add_driver.yaml b/assets/overlays/openstack-manila/patches/controller_add_driver.yaml index 0b30487ab..a3a9f7ec0 100644 --- a/assets/overlays/openstack-manila/patches/controller_add_driver.yaml +++ b/assets/overlays/openstack-manila/patches/controller_add_driver.yaml @@ -89,6 +89,8 @@ spec: terminationMessagePolicy: FallbackToLogsOnError # TODO: fix manila CSI driver not to require NFS driver socket! - name: csi-driver-nfs + securityContext: + readOnlyRootFilesystem: true image: ${NFS_DRIVER_IMAGE} imagePullPolicy: IfNotPresent args: diff --git a/assets/overlays/samba/generated/standalone/controller.yaml b/assets/overlays/samba/generated/standalone/controller.yaml index 6ab88e976..b868c1039 100644 --- a/assets/overlays/samba/generated/standalone/controller.yaml +++ b/assets/overlays/samba/generated/standalone/controller.yaml @@ -160,6 +160,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private @@ -208,6 +210,8 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/tls/private