From 29c40d9bad7112ab60089cf8d894c08d47ff1dbc Mon Sep 17 00:00:00 2001
From: Andreas Bleischwitz <ableisch@redhat.com>
Date: Wed, 4 Mar 2026 19:46:43 +0100
Subject: [PATCH 1/2] Enable readOnlyRootFilesystem for console and download
 pod, add /tmp emptyDir volume

---
 .../deployments/console-deployment.yaml       |  2 +-
 .../deployments/downloads-deployment.yaml     |  6 +++++
 .../subresource/deployment/deployment.go      | 17 +++++++++++-
 .../subresource/deployment/deployment_test.go | 26 +++++++++++++++++++
 4 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/bindata/assets/deployments/console-deployment.yaml b/bindata/assets/deployments/console-deployment.yaml
index 80a08116d3..0189d3a0ea 100644
--- a/bindata/assets/deployments/console-deployment.yaml
+++ b/bindata/assets/deployments/console-deployment.yaml
@@ -47,7 +47,7 @@ spec:
                   - "25"
           name: console
           securityContext:
-            readOnlyRootFilesystem: false
+            readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
             capabilities:
               drop:
diff --git a/bindata/assets/deployments/downloads-deployment.yaml b/bindata/assets/deployments/downloads-deployment.yaml
index dc3c695a57..579acc8bea 100644
--- a/bindata/assets/deployments/downloads-deployment.yaml
+++ b/bindata/assets/deployments/downloads-deployment.yaml
@@ -54,6 +54,9 @@ spec:
             capabilities:
               drop:
               - ALL
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
           command:
             - /bin/sh
           livenessProbe:
@@ -261,6 +264,9 @@ spec:
               time.sleep(9e9)
               EOF
               exec python3 /tmp/serve.py
+      volumes:
+        - name: tmp
+          emptyDir: {}
       tolerations:
         - key: node-role.kubernetes.io/master
           operator: Exists
diff --git a/pkg/console/subresource/deployment/deployment.go b/pkg/console/subresource/deployment/deployment.go
index 542df12a4c..1d19a5ea58 100644
--- a/pkg/console/subresource/deployment/deployment.go
+++ b/pkg/console/subresource/deployment/deployment.go
@@ -58,9 +58,10 @@ type volumeConfig struct {
 	name     string
 	readOnly bool
 	path     string
-	// isSecret or isConfigMap are mutually exclusive
+	// isSecret or isConfigMap and isEmptyDir are mutually exclusive
 	isSecret    bool
 	isConfigMap bool
+	isEmptyDir  bool
 	mappedKeys  map[string]string
 }
 
@@ -304,6 +305,14 @@ func withConsoleVolumes(
 				},
 			}
 		}
+		if item.isEmptyDir {
+			vols[i] = corev1.Volume{
+				Name: item.name,
+				VolumeSource: corev1.VolumeSource{
+					EmptyDir: &corev1.EmptyDirVolumeSource{},
+				},
+			}
+		}
 	}
 	deployment.Spec.Template.Spec.Volumes = vols
 }
@@ -519,6 +528,12 @@ func defaultVolumeConfig() []volumeConfig {
 			path:        "/var/service-ca",
 			isConfigMap: true,
 		},
+		{
+			name:       "tmp",
+			readOnly:   false,
+			path:       "/tmp",
+			isEmptyDir: true,
+		},
 	}
 }
 
diff --git a/pkg/console/subresource/deployment/deployment_test.go b/pkg/console/subresource/deployment/deployment_test.go
index 7a97bda9a0..d2bb656d71 100644
--- a/pkg/console/subresource/deployment/deployment_test.go
+++ b/pkg/console/subresource/deployment/deployment_test.go
@@ -965,6 +965,13 @@ func TestWithConsoleVolumes(t *testing.T) {
 		},
 	}
 
+	tmpVolume := corev1.Volume{
+		Name: "tmp",
+		VolumeSource: corev1.VolumeSource{
+			EmptyDir: &corev1.EmptyDirVolumeSource{},
+		},
+	}
+
 	customLogoVolume := corev1.Volume{
 		Name: api.OpenShiftCustomLogoConfigMapName,
 		VolumeSource: corev1.VolumeSource{
@@ -1033,6 +1040,7 @@ func TestWithConsoleVolumes(t *testing.T) {
 		consoleOauthConfigVolume,
 		consoleConfigVolume,
 		serviceCAVolume,
+		tmpVolume,
 	}
 	trustedVolumes := append(defaultVolumes, trustedCAVolume)
 	customLogoVolumes := append(defaultVolumes, customLogoVolume)
@@ -1062,6 +1070,12 @@ func TestWithConsoleVolumes(t *testing.T) {
 		MountPath: "/var/service-ca",
 	}
 
+	tmpVolumeMount := corev1.VolumeMount{
+		Name:      "tmp",
+		ReadOnly:  false,
+		MountPath: "/tmp",
+	}
+
 	trustedCAVolumeMount := corev1.VolumeMount{
 		Name:      api.TrustedCAConfigMapName,
 		ReadOnly:  true,
@@ -1092,6 +1106,7 @@ func TestWithConsoleVolumes(t *testing.T) {
 		consoleOauthConfigVolumeMount,
 		consoleConfigVolumeMount,
 		serviceCAVolumeMount,
+		tmpVolumeMount,
 	}
 	trustedVolumeMounts := append(defaultVolumeMounts, trustedCAVolumeMount)
 	customLogoVolumeMounts := append(defaultVolumeMounts, customLogoVolumeMount)
@@ -1646,6 +1661,11 @@ func TestDefaultDownloadsDeployment(t *testing.T) {
 					Protocol:      corev1.ProtocolTCP,
 					ContainerPort: api.DownloadsPort,
 				}},
+				VolumeMounts: []corev1.VolumeMount{{
+					Name:      "tmp",
+					ReadOnly:  false,
+					MountPath: "/tmp",
+				}},
 				ReadinessProbe: &corev1.Probe{
 					ProbeHandler: corev1.ProbeHandler{
 						HTTPGet: &corev1.HTTPGetAction{
@@ -1691,6 +1711,12 @@ func TestDefaultDownloadsDeployment(t *testing.T) {
 				},
 			},
 		},
+		Volumes: []corev1.Volume{{
+			Name: "tmp",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		}},
 	}
 	downloadsDeploymentPodSpecHighAvail := downloadsDeploymentPodSpecSingleReplica.DeepCopy()
 	downloadsDeploymentPodSpecHighAvail.Affinity = &corev1.Affinity{

From ea4062a9cf4e99fe9515be136d2718b0250bfb4b Mon Sep 17 00:00:00 2001
From: Andreas Bleischwitz <ableisch@redhat.com>
Date: Wed, 4 Mar 2026 19:46:43 +0100
Subject: [PATCH 2/2] Enable readOnlyRootFilesystem for console and download
 pod, add /tmp emptyDir volume

---
 bindata/assets/deployments/downloads-deployment.yaml  | 2 +-
 pkg/console/subresource/deployment/deployment_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bindata/assets/deployments/downloads-deployment.yaml b/bindata/assets/deployments/downloads-deployment.yaml
index 579acc8bea..98fbfa91fd 100644
--- a/bindata/assets/deployments/downloads-deployment.yaml
+++ b/bindata/assets/deployments/downloads-deployment.yaml
@@ -49,7 +49,7 @@ spec:
             failureThreshold: 3
           name: download-server
           securityContext:
-            readOnlyRootFilesystem: false
+            readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
             capabilities:
               drop:
diff --git a/pkg/console/subresource/deployment/deployment_test.go b/pkg/console/subresource/deployment/deployment_test.go
index d2bb656d71..8e92f226c9 100644
--- a/pkg/console/subresource/deployment/deployment_test.go
+++ b/pkg/console/subresource/deployment/deployment_test.go
@@ -1701,7 +1701,7 @@ func TestDefaultDownloadsDeployment(t *testing.T) {
 				},
 				Args: downloadsDeploymentTemplate.Spec.Template.Spec.Containers[0].Args,
 				SecurityContext: &corev1.SecurityContext{
-					ReadOnlyRootFilesystem: utilpointer.Bool(false),
+					ReadOnlyRootFilesystem: utilpointer.Bool(true),
 					Capabilities: &corev1.Capabilities{
 						Drop: []corev1.Capability{
 							"ALL",