deployments: set readOnlyRootFilesystem

mythi · mythi · commit 7a8ff9ccc1ac · 2019-08-30T12:53:17.000+03:00
Signed-off-by: Mikko Ylinen &lt;mikko.ylinen@intel.com&gt;
diff --git a/deployments/fpga_admissionwebhook/deployment-tpl.yaml b/deployments/fpga_admissionwebhook/deployment-tpl.yaml
@@ -15,6 +15,8 @@ spec:
         - name: fpga-mutator
           image: intel/intel-fpga-admissionwebhook:devel
           imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
           args:
             - -tls-cert-file=/etc/webhook/certs/cert.pem
             - -tls-private-key-file=/etc/webhook/certs/key.pem
diff --git a/deployments/fpga_plugin/fpga_plugin.yaml b/deployments/fpga_plugin/fpga_plugin.yaml
@@ -19,6 +19,8 @@ spec:
       - name: intel-fpga-initcontainer
         image: intel/intel-fpga-initcontainer:devel
         imagePullPolicy: IfNotPresent
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /opt/intel/fpga-sw
           name: intel-fpga-sw
@@ -33,6 +35,8 @@ spec:
                 fieldPath: spec.nodeName
         image: intel/intel-fpga-plugin:devel
         imagePullPolicy: IfNotPresent
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - name: devfs
           mountPath: /dev
diff --git a/deployments/gpu_plugin/gpu_plugin.yaml b/deployments/gpu_plugin/gpu_plugin.yaml
@@ -23,6 +23,8 @@ spec:
                 fieldPath: spec.nodeName
         image: intel/intel-gpu-plugin:devel
         imagePullPolicy: IfNotPresent
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - name: devfs
           mountPath: /dev
diff --git a/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml b/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
@@ -9,6 +9,8 @@ spec:
     imagePullPolicy: IfNotPresent
     command: [ "/bin/bash", "-c", "--" ]
     args: [ "while true; do sleep 300000; done;" ]
+    securityContext:
+      readOnlyRootFilesystem: true
     volumeMounts:
     - mountPath: /dev/hugepages
       name: hugepage
diff --git a/deployments/qat_plugin/qat_plugin.yaml b/deployments/qat_plugin/qat_plugin.yaml
@@ -16,6 +16,8 @@ spec:
       containers:
       - name: intel-qat-plugin
         image: intel/intel-qat-plugin:devel
+        securityContext:
+          readOnlyRootFilesystem: true
         env:
         - name: DPDK_DRIVER
           valueFrom:
diff --git a/deployments/qat_plugin/qat_plugin_kernel_mode.yaml b/deployments/qat_plugin/qat_plugin_kernel_mode.yaml
@@ -16,6 +16,7 @@ spec:
       containers:
       - name: intel-qat-kernel-plugin
         securityContext:
+          readOnlyRootFilesystem: true
           privileged: true
         image: intel/intel-qat-plugin:devel
         imagePullPolicy: IfNotPresent
