diff --git a/config/clustersync/statefulset.yaml b/config/clustersync/statefulset.yaml index bbd1f0a580e..2ebbe198d4c 100644 --- a/config/clustersync/statefulset.yaml +++ b/config/clustersync/statefulset.yaml @@ -54,6 +54,14 @@ spec: fieldPath: metadata.name - name: HIVE_SKIP_LEADER_ELECTION value: "true" + - name: TMPDIR + value: /tmp + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + privileged: false + readOnlyRootFilesystem: true livenessProbe: failureThreshold: 3 httpGet: @@ -72,3 +80,6 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + volumes: + - name: tmp + emptyDir: {} diff --git a/config/controllers/deployment.yaml b/config/controllers/deployment.yaml index 744499a69fa..606c01acb87 100644 --- a/config/controllers/deployment.yaml +++ b/config/controllers/deployment.yaml @@ -25,6 +25,8 @@ spec: volumes: - name: kubectl-cache emptyDir: {} + - name: tmp + emptyDir: {} containers: # By default we will use the latest CI images published from hive master: - image: registry.ci.openshift.org/openshift/hive-v4.0:hive @@ -42,6 +44,8 @@ spec: volumeMounts: - name: kubectl-cache mountPath: /var/cache/kubectl + - name: tmp + mountPath: /tmp env: - name: CLI_CACHE_DIR value: /var/cache/kubectl @@ -49,6 +53,11 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: TMPDIR + value: /tmp + securityContext: + privileged: false + readOnlyRootFilesystem: true readinessProbe: httpGet: path: /readyz diff --git a/config/hiveadmission/deployment.yaml b/config/hiveadmission/deployment.yaml index c816495ce94..7727f47ff7e 100644 --- a/config/hiveadmission/deployment.yaml +++ b/config/hiveadmission/deployment.yaml @@ -42,9 +42,17 @@ spec: envFrom: - configMapRef: name: hive-feature-gates + env: + - name: TMPDIR + value: /tmp volumeMounts: - mountPath: /var/serving-cert name: serving-cert + - name: tmp + mountPath: /tmp + securityContext: + privileged: false + readOnlyRootFilesystem: true readinessProbe: httpGet: path: /healthz @@ -55,3 +63,5 @@ spec: secret: defaultMode: 420 secretName: hiveadmission-serving-cert + - name: tmp + emptyDir: {} diff --git a/config/operator/operator_deployment.yaml b/config/operator/operator_deployment.yaml index fccd064286b..72cec126145 100644 --- a/config/operator/operator_deployment.yaml +++ b/config/operator/operator_deployment.yaml @@ -30,6 +30,8 @@ spec: volumes: - name: kubectl-cache emptyDir: {} + - name: tmp + emptyDir: {} containers: # By default we will use the latest CI images published from hive master: - image: registry.ci.openshift.org/openshift/hive-v4.0:hive @@ -50,6 +52,8 @@ spec: volumeMounts: - name: kubectl-cache mountPath: /var/cache/kubectl + - name: tmp + mountPath: /tmp env: - name: CLI_CACHE_DIR value: /var/cache/kubectl @@ -57,6 +61,11 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: TMPDIR + value: /tmp + securityContext: + privileged: false + readOnlyRootFilesystem: true readinessProbe: httpGet: path: /readyz diff --git a/hack/app-sre/saas-template.yaml b/hack/app-sre/saas-template.yaml index 802eaaaa0e1..81312914b79 100644 --- a/hack/app-sre/saas-template.yaml +++ b/hack/app-sre/saas-template.yaml @@ -7596,6 +7596,8 @@ objects: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: TMPDIR + value: /tmp image: ${REGISTRY_IMG}@${IMAGE_DIGEST} imagePullPolicy: Always livenessProbe: @@ -7615,14 +7617,21 @@ objects: requests: cpu: 100m memory: 256Mi + securityContext: + privileged: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/cache/kubectl name: kubectl-cache + - mountPath: /tmp + name: tmp serviceAccountName: hive-operator terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: kubectl-cache + - emptyDir: {} + name: tmp parameters: - name: REGISTRY_IMG required: true diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go index 8f84f71ece4..42130dcf66b 100644 --- a/pkg/operator/assets/bindata.go +++ b/pkg/operator/assets/bindata.go @@ -177,6 +177,14 @@ spec: fieldPath: metadata.name - name: HIVE_SKIP_LEADER_ELECTION value: "true" + - name: TMPDIR + value: /tmp + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + privileged: false + readOnlyRootFilesystem: true livenessProbe: failureThreshold: 3 httpGet: @@ -195,6 +203,9 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + volumes: + - name: tmp + emptyDir: {} `) func configClustersyncStatefulsetYamlBytes() ([]byte, error) { @@ -436,9 +447,17 @@ spec: envFrom: - configMapRef: name: hive-feature-gates + env: + - name: TMPDIR + value: /tmp volumeMounts: - mountPath: /var/serving-cert name: serving-cert + - name: tmp + mountPath: /tmp + securityContext: + privileged: false + readOnlyRootFilesystem: true readinessProbe: httpGet: path: /healthz @@ -449,6 +468,8 @@ spec: secret: defaultMode: 420 secretName: hiveadmission-serving-cert + - name: tmp + emptyDir: {} `) func configHiveadmissionDeploymentYamlBytes() ([]byte, error) { @@ -858,6 +879,8 @@ spec: volumes: - name: kubectl-cache emptyDir: {} + - name: tmp + emptyDir: {} containers: # By default we will use the latest CI images published from hive master: - image: registry.ci.openshift.org/openshift/hive-v4.0:hive @@ -875,6 +898,8 @@ spec: volumeMounts: - name: kubectl-cache mountPath: /var/cache/kubectl + - name: tmp + mountPath: /tmp env: - name: CLI_CACHE_DIR value: /var/cache/kubectl @@ -882,6 +907,11 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: TMPDIR + value: /tmp + securityContext: + privileged: false + readOnlyRootFilesystem: true readinessProbe: httpGet: path: /readyz