fix(policy-server): Run the policy server with readonly root

Ensure the Policy Server container runs with a readonly root filesystem. This improves the security of the project. This partially addresses kubewarden/helm-charts#51 Signed-off-by: Flavio Castelli <[email protected]>
flavio · Jan 20, 2022 · 715f074 · 715f074
1 parent 3aaa1f4
commit 715f074
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/internal/pkg/admission/policy-server-deployment.go b/internal/pkg/admission/policy-server-deployment.go
@@ -292,6 +292,11 @@ func (r *Reconciler) deployment(configMapVersion string, policyServer *policiesv
 			},
 		)
 	}
+	enableReadOnlyFilesystem := true
+	admissionContainerSecurityContext := corev1.SecurityContext{
+		ReadOnlyRootFilesystem: &enableReadOnlyFilesystem,
+	}
+	admissionContainer.SecurityContext = &admissionContainerSecurityContext
 
 	templateAnnotations := policyServer.Spec.Annotations
 	if templateAnnotations == nil {