From 7520f9b8e789dfa299b837c5ac640891ecbafc58 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Thu, 7 Mar 2019 00:30:52 -0500
Subject: [PATCH] readOnlyRootFilesystem: true for Calico chart

Fix for adding readOnlyRootFilesystem flag at pod
level

Change-Id: I79fd55e582487ffe91a750a51c7a2c5bed13f777
---
 calico/templates/daemonset-calico-etcd.yaml              | 2 ++
 calico/templates/daemonset-calico-node.yaml              | 2 ++
 calico/templates/deployment-calico-kube-controllers.yaml | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml
index b77e8631c..a518dcb8e 100644
--- a/calico/templates/daemonset-calico-etcd.yaml
+++ b/calico/templates/daemonset-calico-etcd.yaml
@@ -50,6 +50,8 @@ spec:
         # a failure.  This annotation works in tandem with the toleration below.
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       serviceAccountName: {{ $serviceAccountName }}
       tolerations:
         # This taint is set by all kubelets running `--cloud-provider=external`
diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml
index 0a0f56502..4fbb3fed7 100644
--- a/calico/templates/daemonset-calico-node.yaml
+++ b/calico/templates/daemonset-calico-node.yaml
@@ -118,6 +118,8 @@ spec:
 {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
 {{- end }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       hostNetwork: true
diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml
index 9ae9ca581..b06e7be07 100644
--- a/calico/templates/deployment-calico-kube-controllers.yaml
+++ b/calico/templates/deployment-calico-kube-controllers.yaml
@@ -92,6 +92,8 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       # The controllers must run in the host network namespace so that