readOnlyRootFilesystem: true for Calico chart

Fix for adding readOnlyRootFilesystem flag at pod level Change-Id: I79fd55e582487ffe91a750a51c7a2c5bed13f777
2019-03-07 00:30:52 -05:00 · 2019-03-07 00:30:52 -05:00 · 7520f9b8e7
parent e836707ad0
commit 7520f9b8e7
3 changed files with 6 additions and 0 deletions
--- a/calico/templates/daemonset-calico-etcd.yaml
+++ b/calico/templates/daemonset-calico-etcd.yaml
@ -50,6 +50,8 @@ spec:
        # a failure.  This annotation works in tandem with the toleration below.
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
+      securityContext:
+        readOnlyRootFilesystem: true
      serviceAccountName: {{ $serviceAccountName }}
      tolerations:
        # This taint is set by all kubelets running `--cloud-provider=external`
--- a/calico/templates/daemonset-calico-node.yaml
+++ b/calico/templates/daemonset-calico-node.yaml
@ -118,6 +118,8 @@ spec:
 {{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
 {{- end }}
    spec:
+      securityContext:
+        readOnlyRootFilesystem: true
      nodeSelector:
        beta.kubernetes.io/os: linux
      hostNetwork: true
--- a/calico/templates/deployment-calico-kube-controllers.yaml
+++ b/calico/templates/deployment-calico-kube-controllers.yaml
@ -92,6 +92,8 @@ spec:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+      securityContext:
+        readOnlyRootFilesystem: true
      nodeSelector:
        beta.kubernetes.io/os: linux
      # The controllers must run in the host network namespace so that