From cf18ee1a6987e3170b79621c838336cd09a1f009 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Thu, 24 Jul 2025 11:04:00 -0400 Subject: [PATCH] Enable readonlyRootFilesystem by default --- ...000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml | 2 ++ manifests/0000_50_olm_06-psm-operator.deployment.yaml | 2 ++ ...000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml | 1 + manifests/0000_50_olm_07-olm-operator.deployment.yaml | 1 + ...50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml | 1 + manifests/0000_50_olm_08-catalog-operator.deployment.yaml | 1 + ...000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml | 2 ++ .../0000_50_olm_06-psm-operator.deployment.yaml | 2 ++ ...000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml | 1 + .../0000_50_olm_07-olm-operator.deployment.yaml | 1 + ...50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml | 1 + .../0000_50_olm_08-catalog-operator.deployment.yaml | 1 + pkg/manifests/csv.yaml | 1 + scripts/catalog-deployment.patch.yaml | 1 + scripts/generate_crds_manifests.sh | 2 ++ scripts/olm-deployment.patch.yaml | 1 + scripts/packageserver-deployment.patch.yaml | 1 + 17 files changed, 22 insertions(+) diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index b92668250a..5511e685c7 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml index 70f2d59203..a63f72ab6b 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index dcecc07ea4..63cde3a8da 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -42,6 +42,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml index eda39adc5f..0463328554 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index 612fe28196..61c35d18c8 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -42,6 +42,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml index e883727237..238b91d9a2 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index b92668250a..5511e685c7 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml index 70f2d59203..a63f72ab6b 100644 --- a/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -59,6 +60,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index dcecc07ea4..63cde3a8da 100644 --- a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -42,6 +42,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml index e9a76baba5..856795b652 100644 --- a/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index 612fe28196..61c35d18c8 100644 --- a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -42,6 +42,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml index e883727237..238b91d9a2 100644 --- a/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/microshift-manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -41,6 +41,7 @@ spec: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml index 2fcf86353f..c077a62ae0 100644 --- a/pkg/manifests/csv.yaml +++ b/pkg/manifests/csv.yaml @@ -114,6 +114,7 @@ spec: - name: packageserver securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/scripts/catalog-deployment.patch.yaml b/scripts/catalog-deployment.patch.yaml index bba2481abc..7633ce38f8 100644 --- a/scripts/catalog-deployment.patch.yaml +++ b/scripts/catalog-deployment.patch.yaml @@ -15,6 +15,7 @@ path: spec.template.spec.containers[*].securityContext value: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] - command: update diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index f159e6250a..69a30bcd6b 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -202,6 +202,7 @@ spec: name: kube-rbac-proxy securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ports: @@ -220,6 +221,7 @@ spec: - name: package-server-manager securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] command: diff --git a/scripts/olm-deployment.patch.yaml b/scripts/olm-deployment.patch.yaml index 7db75ae51d..0fb75c5066 100644 --- a/scripts/olm-deployment.patch.yaml +++ b/scripts/olm-deployment.patch.yaml @@ -23,6 +23,7 @@ path: spec.template.spec.containers[*].securityContext value: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] - command: update diff --git a/scripts/packageserver-deployment.patch.yaml b/scripts/packageserver-deployment.patch.yaml index 2e5c2456eb..da73dcae71 100644 --- a/scripts/packageserver-deployment.patch.yaml +++ b/scripts/packageserver-deployment.patch.yaml @@ -40,6 +40,7 @@ path: spec.install.spec.deployments[0].spec.template.spec.containers[*].securityContext value: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] - command: update