Merge pull request #392 from dusk125/rofs

openshift-merge-bot[bot] · web-flow · commit dfaeb8d5fdf1 · 2025-07-17T17:41:45.000Z
CNTRLPLANE-926: Add readonlyRootFilesystem
diff --git a/bindata/assets/openshift-controller-manager/deploy.yaml b/bindata/assets/openshift-controller-manager/deploy.yaml
@@ -47,6 +47,7 @@ spec:
       containers:
       - name: controller-manager
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:
@@ -89,6 +90,8 @@ spec:
           name: serving-cert
         - mountPath: /etc/pki/ca-trust/extracted/pem
           name: proxy-ca-bundles
+        - mountPath: /tmp
+          name: tmp
       volumes:
       - name: config
         configMap:
@@ -105,6 +108,8 @@ spec:
           items:
             - key: ca-bundle.crt
               path: tls-ca-bundle.pem
+      - emptyDir: {}
+        name: tmp
       nodeSelector:
         node-role.kubernetes.io/master: ""
       tolerations:
diff --git a/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml b/bindata/assets/openshift-controller-manager/route-controller-manager-deploy.yaml
@@ -37,6 +37,7 @@ spec:
       containers:
       - name: route-controller-manager
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:
@@ -65,6 +66,8 @@ spec:
           name: client-ca
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
+        - mountPath: /tmp
+          name: tmp
         livenessProbe:
           initialDelaySeconds: 30
           httpGet:
@@ -87,6 +90,8 @@ spec:
       - name: serving-cert
         secret:
           secretName: serving-cert
+      - emptyDir: {}
+        name: tmp
       nodeSelector:
         node-role.kubernetes.io/master: ""
       tolerations:
diff --git a/manifests/09_deployment.yaml b/manifests/09_deployment.yaml
@@ -33,6 +33,7 @@ spec:
       - name: openshift-controller-manager-operator
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop: ["ALL"]
         image: docker.io/openshift/origin-cluster-openshift-controller-manager-operator:v4.0
@@ -53,6 +54,8 @@ spec:
           name: config
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
+        - mountPath: /tmp
+          name: tmp
         env:
         - name: RELEASE_VERSION
           value: "0.0.1-snapshot"
@@ -75,6 +78,8 @@ spec:
       - name: config
         configMap:
           name: openshift-controller-manager-operator-config
+      - emptyDir: {}
+        name: tmp
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: "system-cluster-critical"
