From d56c192df83407ed1e4aad0a8c9e409fd3185c41 Mon Sep 17 00:00:00 2001
From: Khurram Baig <kbaig@redhat.com>
Date: Fri, 17 May 2024 15:05:25 +0530
Subject: [PATCH] Set readOnlyRootFilesystem as true in Controllers and Webhook

Setting readOnlyRootFilesystem to increase the security and to avoid
being flagged by scanner.
---
 config/controller.yaml | 1 +
 config/events.yaml     | 1 +
 config/webhook.yaml    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/config/controller.yaml b/config/controller.yaml
index dad4866396b..4e70e1c4a53 100644
--- a/config/controller.yaml
+++ b/config/controller.yaml
@@ -112,6 +112,7 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"
diff --git a/config/events.yaml b/config/events.yaml
index 088c0e28c15..03914c8a346 100644
--- a/config/events.yaml
+++ b/config/events.yaml
@@ -90,6 +90,7 @@ spec:
           value: /etc/ssl/certs
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"
diff --git a/config/webhook.yaml b/config/webhook.yaml
index 41922fa1c1b..e80a5bc93df 100644
--- a/config/webhook.yaml
+++ b/config/webhook.yaml
@@ -126,6 +126,7 @@ spec:
           value: tekton.dev/pipeline
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"