Skip to content

Commit

Permalink
deploy: run all containers with read-only filesystem
Browse files Browse the repository at this point in the history
Prevent potential abuse of the container storage a little more, by
running all containers with a read-only filesystem.

Signed-off-by: Niels de Vos <[email protected]>
  • Loading branch information
nixpanic committed Mar 8, 2024
1 parent 61a0350 commit be62d0c
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 0 deletions.
1 change: 1 addition & 0 deletions config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ spec:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
livenessProbe:
httpGet:
path: /healthz
Expand Down
3 changes: 3 additions & 0 deletions config/manager/manager_auth_proxy_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@ spec:
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
- name: manager
args:
- "--namespace=$(POD_NAMESPACE)"
Expand Down
4 changes: 4 additions & 0 deletions deploy/controller/setup-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,9 @@ spec:
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
- args:
- --namespace=$(POD_NAMESPACE)
- --health-probe-bind-address=:8081
Expand Down Expand Up @@ -91,6 +94,7 @@ spec:
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
securityContext:
runAsNonRoot: true
serviceAccountName: csi-addons-controller-manager
Expand Down

0 comments on commit be62d0c

Please sign in to comment.