diff --git a/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml b/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml index 54ce6def0..fe6ee0971 100644 --- a/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml +++ b/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml @@ -400,6 +400,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: devworkspace-controller-serviceaccount terminationGracePeriodSeconds: 10 permissions: diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 1a70445b7..34953ec1e 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -26224,6 +26224,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml b/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml index 828b98ec8..cd6b29efc 100644 --- a/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml +++ b/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml @@ -96,6 +96,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index 40b080f3c..31bb95d7f 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -26226,6 +26226,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml b/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml index be4c8b959..5b226b7c9 100644 --- a/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml +++ b/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml @@ -96,6 +96,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/templates/components/manager/manager.yaml b/deploy/templates/components/manager/manager.yaml index 72180dd38..331391d50 100644 --- a/deploy/templates/components/manager/manager.yaml +++ b/deploy/templates/components/manager/manager.yaml @@ -51,6 +51,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true env: - name: WATCH_NAMESPACE value: "" diff --git a/pkg/webhook/deployment.go b/pkg/webhook/deployment.go index 2bc037043..6cab96edc 100755 --- a/pkg/webhook/deployment.go +++ b/pkg/webhook/deployment.go @@ -187,6 +187,9 @@ func getSpecDeployment(webhooksSecretName, namespace string) (*appsv1.Deployment Name: "WATCH_NAMESPACE", }, }, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: pointer.Bool(true), + }, }, }, RestartPolicy: "Always",