Add readOnlyRootFilesystem=true to containers missing it

readOnlyRootFilesystem prevents containers from writing to the root filesystem,
reducing attack surface and improving security posture by limiting potential
malicious file modifications and ensuring immutable container runtime.

allowPrivilegeEscalation=false prevents containers from gaining additional
privileges beyond those initially granted, further hardening the security
posture by blocking privilege escalation attacks.

Signed-off-by: Carlos Goncalves <[email protected]>

Author: cgoncalves

bindata/linuxptp/ptp-daemon.yaml

@@ -36,6 +36,9 @@ spec:
         - name: cloud-event-proxy
           image: {{ .SideCar }}
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
           args:
             - "--metrics-addr=127.0.0.1:9091"
             - "--store-path=/store"
@@ -69,6 +72,9 @@ spec:
         - name: kube-rbac-proxy
           image: {{.KubeRbacProxy}}
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
           args:
             - --logtostderr
             - --secure-listen-address=:8443
@@ -92,6 +98,7 @@ spec:
         - name: linuxptp-daemon-container
           securityContext:
             privileged: true
+            readOnlyRootFilesystem: true
           image: {{.Image}}
           imagePullPolicy: IfNotPresent
           command: [ "/bin/bash", "-c", "--" ]

config/default/manager_auth_proxy_patch.yaml

@@ -11,6 +11,9 @@ spec:
       containers:
       - name: kube-rbac-proxy
         image: quay.io/openshift/origin-kube-rbac-proxy:4.15
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
@@ -21,6 +24,9 @@ spec:
         - containerPort: 8443
           name: https
       - name: manager
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         args:
         - "--health-probe-bind-address=:8081"
         - "--metrics-bind-address=127.0.0.1:8080"

config/default/manager_webhook_patch.yaml

@@ -10,6 +10,9 @@ spec:
     spec:
       containers:
       - name: ptp-operator
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         ports:
         - containerPort: 9443
           name: webhook-server

config/manager/manager.yaml

@@ -45,6 +45,9 @@ spec:
           image: controller
           command:
           - ptp-operator
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
           args:
           - --enable-leader-election
           - --logtostderr