From 2ba311b5ba307f99423844e362012bf583e2a15f Mon Sep 17 00:00:00 2001
From: Jan Jansen <jan.jansen@gdata.de>
Date: Mon, 6 Mar 2023 11:22:34 +0100
Subject: [PATCH] feat: add readOnlyRootFilesystem if possible

Signed-off-by: Jan Jansen <jan.jansen@gdata.de>
---
 .../latest/csi-driver-nfs/templates/csi-nfs-controller.yaml  | 5 +++++
 charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml     | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
index 9190b673..fab3c95d 100644
--- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
+++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml
@@ -61,6 +61,8 @@ spec:
             - mountPath: /csi
               name: socket-dir
           resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
         - name: liveness-probe
           image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
           args:
@@ -73,6 +75,8 @@ spec:
             - name: socket-dir
               mountPath: /csi
           resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
         - name: nfs
           image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
           securityContext:
@@ -80,6 +84,7 @@ spec:
             capabilities:
               add: ["SYS_ADMIN"]
             allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: true
           imagePullPolicy: {{ .Values.image.nfs.pullPolicy }}
           args:
             - "--v={{ .Values.controller.logLevel }}"
diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
index b9f819fc..7a50edb8 100644
--- a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
+++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml
@@ -51,6 +51,8 @@ spec:
             - name: socket-dir
               mountPath: /csi
           resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+          securityContext:
+            readOnlyRootFilesystem: true
         - name: node-driver-registrar
           image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
           livenessProbe:
@@ -85,6 +87,7 @@ spec:
             capabilities:
               add: ["SYS_ADMIN"]
             allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: true
           image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}"
           args :
             - "--v={{ .Values.node.logLevel }}"