Merge pull request #300 from lunarwhite/rorfs

openshift-merge-bot[bot] · web-flow · commit 4b0bd81db1b6 · 2025-08-14T12:50:39.000Z
CM-674: Enable ReadOnly Root Filesystem for operator controller
diff --git a/bundle/manifests/cert-manager-operator.clusterserviceversion.yaml b/bundle/manifests/cert-manager-operator.clusterserviceversion.yaml
@@ -693,15 +693,22 @@ spec:
                     drop:
                     - ALL
                   privileged: false
+                  readOnlyRootFilesystem: true
                   runAsNonRoot: true
                   seccompProfile:
                     type: RuntimeDefault
+                volumeMounts:
+                - mountPath: /tmp
+                  name: tmp
               securityContext:
                 runAsNonRoot: true
                 seccompProfile:
                   type: RuntimeDefault
               serviceAccountName: cert-manager-operator-controller-manager
               terminationGracePeriodSeconds: 10
+              volumes:
+              - emptyDir: {}
+                name: tmp
       permissions:
       - rules:
         - apiGroups:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -105,6 +105,7 @@ spec:
                 - 'ALL'
             privileged: false
             runAsNonRoot: true
+            readOnlyRootFilesystem: true
             seccompProfile:
               type: 'RuntimeDefault'
           ports:
@@ -115,5 +116,11 @@ spec:
             requests:
               cpu: 10m
               memory: 32Mi
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
+      volumes:
+        - name: tmp
+          emptyDir: {}
