From 1ff308aa4dec3e77a905ea20981cbf18600db5d5 Mon Sep 17 00:00:00 2001 From: David Kwon Date: Wed, 5 Nov 2025 16:16:23 -0500 Subject: [PATCH] Set readOnlyRootFilesystem for deployments to true Signed-off-by: David Kwon --- .../manifests/devworkspace-operator.clusterserviceversion.yaml | 2 ++ deploy/deployment/kubernetes/combined.yaml | 2 ++ .../objects/devworkspace-controller-manager.Deployment.yaml | 2 ++ deploy/deployment/openshift/combined.yaml | 2 ++ .../objects/devworkspace-controller-manager.Deployment.yaml | 2 ++ deploy/templates/components/manager/manager.yaml | 2 ++ pkg/webhook/deployment.go | 3 +++ 7 files changed, 15 insertions(+) diff --git a/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml b/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml index 54ce6def0..fe6ee0971 100644 --- a/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml +++ b/deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml @@ -400,6 +400,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: devworkspace-controller-serviceaccount terminationGracePeriodSeconds: 10 permissions: diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 1a70445b7..34953ec1e 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -26224,6 +26224,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml b/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml index 828b98ec8..cd6b29efc 100644 --- a/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml +++ b/deploy/deployment/kubernetes/objects/devworkspace-controller-manager.Deployment.yaml @@ -96,6 +96,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index 40b080f3c..31bb95d7f 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -26226,6 +26226,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml b/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml index be4c8b959..5b226b7c9 100644 --- a/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml +++ b/deploy/deployment/openshift/objects/devworkspace-controller-manager.Deployment.yaml @@ -96,6 +96,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-tls-certs diff --git a/deploy/templates/components/manager/manager.yaml b/deploy/templates/components/manager/manager.yaml index 72180dd38..331391d50 100644 --- a/deploy/templates/components/manager/manager.yaml +++ b/deploy/templates/components/manager/manager.yaml @@ -51,6 +51,8 @@ spec: requests: cpu: 250m memory: 100Mi + securityContext: + readOnlyRootFilesystem: true env: - name: WATCH_NAMESPACE value: "" diff --git a/pkg/webhook/deployment.go b/pkg/webhook/deployment.go index 2bc037043..6cab96edc 100755 --- a/pkg/webhook/deployment.go +++ b/pkg/webhook/deployment.go @@ -187,6 +187,9 @@ func getSpecDeployment(webhooksSecretName, namespace string) (*appsv1.Deployment Name: "WATCH_NAMESPACE", }, }, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: pointer.Bool(true), + }, }, }, RestartPolicy: "Always",