From df7492d76390e4ef242548896b59dc66d9c497a0 Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Tue, 4 Feb 2020 13:39:07 +0200
Subject: [PATCH] crypto-perf: fix readonly rootfs deployment

We had securityContext specified twice and the latter was overwriting
readOnlyRootFilesystem=true.

With this commit, the container is properly mounted readonly. However,
we need a tmpfs for DPDK runtime data so an emptyDir volume is added
(NB: see kubernetes/issues/48912 for discussion on emptyDir mount options).

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 .../base/crypto-perf-dpdk-pod-requesting-qat.yaml         | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml b/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
index 43eb343e..8521cbfc 100644
--- a/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
+++ b/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
@@ -9,11 +9,11 @@ spec:
     imagePullPolicy: IfNotPresent
     command: [ "/bin/bash", "-c", "--" ]
     args: [ "while true; do sleep 300000; done;" ]
-    securityContext:
-      readOnlyRootFilesystem: true
     volumeMounts:
     - mountPath: /dev/hugepages
       name: hugepage
+    - mountPath: /var/run/dpdk
+      name: dpdk-runtime
     resources:
       requests:
         cpu: "3"
@@ -26,11 +26,15 @@ spec:
         qat.intel.com/generic: '4'
         hugepages-2Mi: "128Mi"
     securityContext:
+      readOnlyRootFilesystem: true
       capabilities:
         add:
           ["IPC_LOCK", "SYS_ADMIN"]
   restartPolicy: Never
   volumes:
+  - name: dpdk-runtime
+    emptyDir:
+      medium: Memory
   - name: hugepage
     emptyDir:
       medium: HugePages