Merge pull request #954 from cgoncalves/readonlyroot

zeeke · web-flow · commit 1821d9dc11cc · 2025-11-06T14:05:47.000+01:00
Add readOnlyRootFilesystem=true to containers missing it
diff --git a/bindata/manifests/daemon/daemonset.yaml b/bindata/manifests/daemon/daemonset.yaml
@@ -142,6 +142,7 @@ spec:
           - sriov-network-config-daemon
         securityContext:
           privileged: true
+          readOnlyRootFilesystem: true
         args:
           - "start"
         {{- if .UsedSystemdMode}}
diff --git a/bindata/manifests/metrics-exporter/metrics-daemonset.yaml b/bindata/manifests/metrics-exporter/metrics-daemonset.yaml
@@ -78,6 +78,9 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: status.hostIP
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         resources:
           requests:
             cpu: 10m
diff --git a/bindata/manifests/plugins/sriov-device-plugin.yaml b/bindata/manifests/plugins/sriov-device-plugin.yaml
@@ -56,6 +56,7 @@ spec:
               fieldPath: spec.nodeName
         securityContext:
           privileged: true
+          readOnlyRootFilesystem: true
         resources:
           requests:
             cpu: 10m
diff --git a/deploy/operator.yaml b/deploy/operator.yaml
@@ -49,6 +49,9 @@ spec:
           image: $SRIOV_NETWORK_OPERATOR_IMAGE
           command:
           - sriov-network-operator
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
           resources:
             requests:
               cpu: 100m
diff --git a/deployment/sriov-network-operator-chart/templates/operator.yaml b/deployment/sriov-network-operator-chart/templates/operator.yaml
@@ -43,6 +43,9 @@ spec:
           image: {{ .Values.images.operator }}
           command:
             - sriov-network-operator
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
           resources:
             requests:
               cpu: 100m
