From b2ebc82209ffe3a8d6568717969ec0dbac07934c Mon Sep 17 00:00:00 2001 From: Eric <116378756+eli-gc@users.noreply.github.com> Date: Thu, 30 Nov 2023 10:17:01 -0800 Subject: [PATCH] update manifests for kiali-operator read-only root filesystem support (#729) * update manifests for kiali-operator read-only root filesystem support * set readOnlyRootFilesystem to true * add ANSIBLE_REMOTE_TEMP env var --- .../kiali.v1.78.0.clusterserviceversion.yaml | 11 ++++++++--- .../manifests/kiali.clusterserviceversion.yaml | 11 ++++++++--- .../kiali.v1.78.0.clusterserviceversion.yaml | 11 ++++++++--- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/manifests/kiali-community/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml b/manifests/kiali-community/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml index adda6b58..04087195 100644 --- a/manifests/kiali-community/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml +++ b/manifests/kiali-community/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml @@ -254,12 +254,13 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true capabilities: drop: - ALL volumeMounts: - - mountPath: /tmp/ansible-operator/runner - name: runner + - mountPath: /tmp + name: tmp env: - name: WATCH_NAMESPACE valueFrom: @@ -295,6 +296,10 @@ spec: value: "1" - name: ANSIBLE_CONFIG value: "/etc/ansible/ansible.cfg" + - name: ANSIBLE_LOCAL_TEMP + value: "/tmp/ansible/tmp" + - name: ANSIBLE_REMOTE_TEMP + value: "/tmp/ansible/tmp" ports: - name: http-metrics containerPort: 8080 @@ -303,7 +308,7 @@ spec: cpu: "10m" memory: "64Mi" volumes: - - name: runner + - name: tmp emptyDir: {} clusterPermissions: - rules: diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml index 880c7cee..7f24dca8 100644 --- a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml +++ b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml @@ -264,12 +264,13 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true capabilities: drop: - ALL volumeMounts: - - mountPath: /tmp/ansible-operator/runner - name: runner + - mountPath: /tmp + name: tmp env: - name: WATCH_NAMESPACE valueFrom: @@ -305,6 +306,10 @@ spec: value: "1" - name: ANSIBLE_CONFIG value: "/etc/ansible/ansible.cfg" + - name: ANSIBLE_LOCAL_TEMP + value: "/tmp/ansible/tmp" + - name: ANSIBLE_REMOTE_TEMP + value: "/tmp/ansible/tmp" - name: RELATED_IMAGE_kiali_default value: "${KIALI_1_73}" - name: RELATED_IMAGE_kiali_v1_73 @@ -325,7 +330,7 @@ spec: cpu: "10m" memory: "64Mi" volumes: - - name: runner + - name: tmp emptyDir: {} clusterPermissions: - rules: diff --git a/manifests/kiali-upstream/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml b/manifests/kiali-upstream/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml index 3e5f8c13..bf71a922 100644 --- a/manifests/kiali-upstream/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml +++ b/manifests/kiali-upstream/1.78.0/manifests/kiali.v1.78.0.clusterserviceversion.yaml @@ -205,12 +205,13 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + readOnlyRootFilesystem: true capabilities: drop: - ALL volumeMounts: - - mountPath: /tmp/ansible-operator/runner - name: runner + - mountPath: /tmp + name: tmp env: - name: WATCH_NAMESPACE valueFrom: @@ -242,6 +243,10 @@ spec: value: "1" - name: ANSIBLE_CONFIG value: "/etc/ansible/ansible.cfg" + - name: ANSIBLE_LOCAL_TEMP + value: "/tmp/ansible/tmp" + - name: ANSIBLE_REMOTE_TEMP + value: "/tmp/ansible/tmp" ports: - name: http-metrics containerPort: 8080 @@ -250,7 +255,7 @@ spec: cpu: "10m" memory: "64Mi" volumes: - - name: runner + - name: tmp emptyDir: {} clusterPermissions: - rules: