fix readOnlyRootFilesystem location (#135)

fix readOnlyRootFilesystem location and make the security context fix…ed even if port is higher than 1024
metalbear-co · Dec 10, 2024 · d4ef277 · d4ef277
1 parent f02722f
commit d4ef277
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/mirrord-operator/Chart.yaml b/mirrord-operator/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.13.1
+version: 1.13.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/mirrord-operator/templates/deployment.yaml b/mirrord-operator/templates/deployment.yaml
@@ -33,16 +33,15 @@ spec:
         - {{ toYaml . }}
         {{- end }}
       {{- end }}
-      {{/* Allow low port using ip_unprivileged_port_start */}}
-      {{- if lt (int .Values.operator.port) 1024 -}}
       securityContext:
-        readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1000
+        {{/* Allow low port using ip_unprivileged_port_start */}}
+        {{- if lt (int .Values.operator.port) 1024 -}}
         sysctls:
         - name: net.ipv4.ip_unprivileged_port_start
           value: {{ .Values.operator.port | quote}}
-      {{- end }}
+        {{- end }}
       {{- if .Values.operator.tolerations }}
       tolerations:
         {{- toYaml .Values.operator.tolerations | nindent 8 }}
@@ -145,6 +144,7 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           privileged: false
+          readOnlyRootFilesystem: true
         volumeMounts:
         {{- if or (index .Values.tls.data "tls.key") .Values.tls.certManager.enabled }}
         - mountPath: /tls
@@ -156,6 +156,9 @@ spec:
         - mountPath: /license
           name: license-volume
         {{- end }}
+        # needed for the operator to download and use CA
+        - mountPath: /tmp
+          name: tmp
       serviceAccountName: {{ .Values.sa.name }}
       volumes:
       - name: mirrord-config-volume
@@ -176,3 +179,5 @@ spec:
         secret:
           secretName: {{ .Values.license.pemRef }}
       {{- end }}
+      - emptyDir: {}
+        name: tmp