R/O root fs

stackrox · Apr 22, 2024 · 4e7288b · 4e7288b
1 parent 27fb617
commit 4e7288b
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/deploy/deployment.yaml.gotpl b/deploy/deployment.yaml.gotpl
@@ -73,8 +73,9 @@ spec:
               name: pull-secret
               readOnly: true
             {{ end }}
-          {{ if .NeedsPrivileged }}
           securityContext:
+            readOnlyRootFilesystem: true
+          {{ if .NeedsPrivileged }}
             privileged: true
           {{ end }}
       containers:
@@ -83,6 +84,8 @@ spec:
           args:
             - "/image-prefetcher"
             - "sleep"
+          securityContext:
+            readOnlyRootFilesystem: true
       volumes:
         - name: cri-socket-dir
           hostPath: