Merge pull request #215 from mythi/rofs

deployments: set readOnlyRootFilesystem
2025-06-03 03:59:37 +00:00 · 2019-09-03 14:52:42 +03:00 · 2019-09-03 14:52:42 +03:00 · 31fd36c047
commit 31fd36c047
parent 64c7e0e85c 7a8ff9ccc1
6 changed files with 13 additions and 0 deletions
--- a/deployments/fpga_admissionwebhook/deployment-tpl.yaml
+++ b/deployments/fpga_admissionwebhook/deployment-tpl.yaml
@ -15,6 +15,8 @@ spec:
        - name: fpga-mutator
          image: intel/intel-fpga-admissionwebhook:devel
          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
          args:
            - -tls-cert-file=/etc/webhook/certs/cert.pem
            - -tls-private-key-file=/etc/webhook/certs/key.pem
--- a/deployments/fpga_plugin/fpga_plugin.yaml
+++ b/deployments/fpga_plugin/fpga_plugin.yaml
@ -19,6 +19,8 @@ spec:
      - name: intel-fpga-initcontainer
        image: intel/intel-fpga-initcontainer:devel
        imagePullPolicy: IfNotPresent
+        securityContext:
+          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /opt/intel/fpga-sw
          name: intel-fpga-sw
@ -33,6 +35,8 @@ spec:
                fieldPath: spec.nodeName
        image: intel/intel-fpga-plugin:devel
        imagePullPolicy: IfNotPresent
+        securityContext:
+          readOnlyRootFilesystem: true
        volumeMounts:
        - name: devfs
          mountPath: /dev
--- a/deployments/gpu_plugin/gpu_plugin.yaml
+++ b/deployments/gpu_plugin/gpu_plugin.yaml
@ -23,6 +23,8 @@ spec:
                fieldPath: spec.nodeName
        image: intel/intel-gpu-plugin:devel
        imagePullPolicy: IfNotPresent
+        securityContext:
+          readOnlyRootFilesystem: true
        volumeMounts:
        - name: devfs
          mountPath: /dev
--- a/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
+++ b/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
@ -9,6 +9,8 @@ spec:
    imagePullPolicy: IfNotPresent
    command: [ "/bin/bash", "-c", "--" ]
    args: [ "while true; do sleep 300000; done;" ]
+    securityContext:
+      readOnlyRootFilesystem: true
    volumeMounts:
    - mountPath: /dev/hugepages
      name: hugepage
--- a/deployments/qat_plugin/qat_plugin.yaml
+++ b/deployments/qat_plugin/qat_plugin.yaml
@ -16,6 +16,8 @@ spec:
      containers:
      - name: intel-qat-plugin
        image: intel/intel-qat-plugin:devel
+        securityContext:
+          readOnlyRootFilesystem: true
        env:
        - name: DPDK_DRIVER
          valueFrom:
--- a/deployments/qat_plugin/qat_plugin_kernel_mode.yaml
+++ b/deployments/qat_plugin/qat_plugin_kernel_mode.yaml
@ -16,6 +16,7 @@ spec:
      containers:
      - name: intel-qat-kernel-plugin
        securityContext:
+          readOnlyRootFilesystem: true
          privileged: true
        image: intel/intel-qat-plugin:devel
        imagePullPolicy: IfNotPresent