diff --git a/deploy/cluster-manager/config/operator/operator.yaml b/deploy/cluster-manager/config/operator/operator.yaml index 4b2181988..e226e7ab7 100644 --- a/deploy/cluster-manager/config/operator/operator.yaml +++ b/deploy/cluster-manager/config/operator/operator.yaml @@ -55,6 +55,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz @@ -72,3 +73,9 @@ spec: requests: cpu: 2m memory: 16Mi + volumeMounts: + - name: tmpdir + mountPath: /tmp + volumes: + - name: tmpdir + emptyDir: { } diff --git a/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml b/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml index 4df082f86..f73d008e7 100644 --- a/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml +++ b/deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml @@ -59,7 +59,7 @@ metadata: categories: Integration & Delivery,OpenShift Optional certified: "false" containerImage: quay.io/open-cluster-management/registration-operator:latest - createdAt: "2023-11-30T07:06:56Z" + createdAt: "2023-12-07T15:16:47Z" description: Manages the installation and upgrade of the ClusterManager. operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -575,8 +575,15 @@ spec: drop: - ALL privileged: false + readOnlyRootFilesystem: true runAsNonRoot: true + volumeMounts: + - mountPath: /tmp + name: tmpdir serviceAccountName: cluster-manager + volumes: + - emptyDir: {} + name: tmpdir strategy: deployment installModes: - supported: true diff --git a/deploy/klusterlet/config/operator/operator.yaml b/deploy/klusterlet/config/operator/operator.yaml index b65efba6e..3930c5c04 100644 --- a/deploy/klusterlet/config/operator/operator.yaml +++ b/deploy/klusterlet/config/operator/operator.yaml @@ -58,6 +58,8 @@ spec: drop: - ALL privileged: false + runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz @@ -75,6 +77,13 @@ spec: requests: cpu: 2m memory: 16Mi + volumeMounts: + - name: tmpdir + mountPath: /tmp + volumes: + - name: tmpdir + emptyDir: { } + # Uncomment the following configuration lines to add hostAliases for hub api server, # if the server field in your hub cluster kubeconfig is a domain name instead of an ipv4 address. # For example, https://xxx.yyy.zzz. diff --git a/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml b/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml index 67312ed5d..a3d4427c6 100644 --- a/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml +++ b/deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml @@ -31,7 +31,7 @@ metadata: categories: Integration & Delivery,OpenShift Optional certified: "false" containerImage: quay.io/open-cluster-management/registration-operator:latest - createdAt: "2023-11-30T08:06:17Z" + createdAt: "2023-12-07T15:16:47Z" description: Manages the installation and upgrade of the Klusterlet. operators.operatorframework.io/builder: operator-sdk-v1.32.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -336,9 +336,17 @@ spec: drop: - ALL privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /tmp + name: tmpdir securityContext: runAsNonRoot: true serviceAccountName: klusterlet + volumes: + - emptyDir: {} + name: tmpdir strategy: deployment installModes: - supported: true diff --git a/manifests/cluster-manager/management/cluster-manager-addon-manager-deployment.yaml b/manifests/cluster-manager/management/cluster-manager-addon-manager-deployment.yaml index 3f59d3c01..a2c01b430 100644 --- a/manifests/cluster-manager/management/cluster-manager-addon-manager-deployment.yaml +++ b/manifests/cluster-manager/management/cluster-manager-addon-manager-deployment.yaml @@ -64,6 +64,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz @@ -81,12 +82,18 @@ spec: requests: cpu: 2m memory: 16Mi - {{ if .HostedMode }} volumeMounts: + - name: tmpdir + mountPath: /tmp + {{ if .HostedMode }} - mountPath: /var/run/secrets/hub name: kubeconfig readOnly: true + {{ end }} volumes: + - name: tmpdir + emptyDir: { } + {{ if .HostedMode }} - name: kubeconfig secret: secretName: addon-manager-controller-sa-kubeconfig diff --git a/manifests/cluster-manager/management/cluster-manager-manifestworkreplicaset-deployment.yaml b/manifests/cluster-manager/management/cluster-manager-manifestworkreplicaset-deployment.yaml index 57a93e794..0a9d47afc 100644 --- a/manifests/cluster-manager/management/cluster-manager-manifestworkreplicaset-deployment.yaml +++ b/manifests/cluster-manager/management/cluster-manager-manifestworkreplicaset-deployment.yaml @@ -61,6 +61,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz @@ -79,12 +80,16 @@ spec: cpu: 2m memory: 16Mi volumeMounts: + - name: tmpdir + mountPath: /tmp {{ if .HostedMode }} - mountPath: /var/run/secrets/hub name: kubeconfig readOnly: true {{ end }} volumes: + - name: tmpdir + emptyDir: { } {{ if .HostedMode }} - name: kubeconfig secret: diff --git a/manifests/cluster-manager/management/cluster-manager-placement-deployment.yaml b/manifests/cluster-manager/management/cluster-manager-placement-deployment.yaml index 39729f612..757fa4781 100644 --- a/manifests/cluster-manager/management/cluster-manager-placement-deployment.yaml +++ b/manifests/cluster-manager/management/cluster-manager-placement-deployment.yaml @@ -60,6 +60,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz @@ -77,12 +78,18 @@ spec: requests: cpu: 2m memory: 16Mi - {{ if .HostedMode }} volumeMounts: + - name: tmpdir + mountPath: /tmp + {{ if .HostedMode }} - mountPath: /var/run/secrets/hub name: kubeconfig readOnly: true + {{ end }} volumes: + - name: tmpdir + emptyDir: { } + {{ if .HostedMode }} - name: kubeconfig secret: secretName: placement-controller-sa-kubeconfig diff --git a/manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml b/manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml index 456680b15..a3e96e2eb 100644 --- a/manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml +++ b/manifests/cluster-manager/management/cluster-manager-registration-deployment.yaml @@ -68,6 +68,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz @@ -85,12 +86,18 @@ spec: requests: cpu: 2m memory: 16Mi - {{ if .HostedMode }} volumeMounts: + - name: tmpdir + mountPath: /tmp + {{ if .HostedMode }} - mountPath: /var/run/secrets/hub name: kubeconfig readOnly: true + {{ end }} volumes: + - name: tmpdir + emptyDir: { } + {{ if .HostedMode }} - name: kubeconfig secret: secretName: registration-controller-sa-kubeconfig diff --git a/manifests/cluster-manager/management/cluster-manager-registration-webhook-deployment.yaml b/manifests/cluster-manager/management/cluster-manager-registration-webhook-deployment.yaml index 1d289320c..c48f3fb12 100644 --- a/manifests/cluster-manager/management/cluster-manager-registration-webhook-deployment.yaml +++ b/manifests/cluster-manager/management/cluster-manager-registration-webhook-deployment.yaml @@ -67,6 +67,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz diff --git a/manifests/cluster-manager/management/cluster-manager-work-webhook-deployment.yaml b/manifests/cluster-manager/management/cluster-manager-work-webhook-deployment.yaml index 0995fe42d..93ffa2f5f 100644 --- a/manifests/cluster-manager/management/cluster-manager-work-webhook-deployment.yaml +++ b/manifests/cluster-manager/management/cluster-manager-work-webhook-deployment.yaml @@ -61,6 +61,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz diff --git a/manifests/klusterlet/management/klusterlet-agent-deployment.yaml b/manifests/klusterlet/management/klusterlet-agent-deployment.yaml index de7f2e8f5..8ef5e2abc 100644 --- a/manifests/klusterlet/management/klusterlet-agent-deployment.yaml +++ b/manifests/klusterlet/management/klusterlet-agent-deployment.yaml @@ -96,6 +96,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true volumeMounts: - name: bootstrap-secret mountPath: "/spoke/bootstrap" diff --git a/manifests/klusterlet/management/klusterlet-registration-deployment.yaml b/manifests/klusterlet/management/klusterlet-registration-deployment.yaml index 045b4f7b2..d96918a18 100644 --- a/manifests/klusterlet/management/klusterlet-registration-deployment.yaml +++ b/manifests/klusterlet/management/klusterlet-registration-deployment.yaml @@ -87,6 +87,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true volumeMounts: - name: bootstrap-secret mountPath: "/spoke/bootstrap" diff --git a/manifests/klusterlet/management/klusterlet-work-deployment.yaml b/manifests/klusterlet/management/klusterlet-work-deployment.yaml index 2146ff9f7..e17809f31 100644 --- a/manifests/klusterlet/management/klusterlet-work-deployment.yaml +++ b/manifests/klusterlet/management/klusterlet-work-deployment.yaml @@ -82,6 +82,7 @@ spec: - ALL privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true volumeMounts: - name: hub-kubeconfig-secret mountPath: "/spoke/hub-kubeconfig"