Merge pull request #454 from rivkyrizel/MGMT-22200

MGMT-22200: Add readOnlyRootFilesystem security constrain in CAPI providers

Author: openshift-merge-bot[bot]

bootstrap-components.yaml

@@ -812,6 +812,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs/
           name: certs

bootstrap/config/manager/manager.yaml

@@ -35,6 +35,7 @@ spec:
                 fieldPath: metadata.namespace
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"

controlplane-components.yaml

@@ -944,6 +944,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: capoa-controlplane-controller-manager

controlplane/config/manager/manager.yaml

@@ -30,6 +30,7 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"

test/e2e/manifests/capboa/bootstrap_install.yaml

@@ -812,6 +812,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs/
           name: certs

test/e2e/manifests/capcoa/controlplane_install.yaml

@@ -944,6 +944,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: capoa-controlplane-controller-manager