From b74ac2769231059163007638e90a17ac0b713378 Mon Sep 17 00:00:00 2001
From: Brad Behle <behle@us.ibm.com>
Date: Mon, 11 Aug 2025 10:45:07 -0500
Subject: [PATCH] Restrict access to mounted secrets in ovnkube-control-plane

Improve security of ovnkube-control-plane by removing read-all
access to the mounted secrets.
---
 .../network/ovn-kubernetes/managed/ovnkube-control-plane.yaml  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml b/bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml
index a9173210fb..5032a5c28f 100644
--- a/bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml
+++ b/bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml
@@ -312,14 +312,17 @@ spec:
           optional: true
       - name: ovn-control-plane-metrics-cert
         secret:
+          defaultMode: 0640
           secretName: ovn-control-plane-metrics-cert
       - name: admin-kubeconfig
         secret:
+          defaultMode: 0640
           secretName: service-network-admin-kubeconfig
       - name: hosted-cluster-api-access
         emptyDir: {}
       - name: hosted-ca-cert
         secret:
+          defaultMode: 0640
           secretName: root-ca
           items:
             - key: ca.crt