Read only filesystem

sjberman · sjberman · commit 44113410c4f2 · 2023-08-29T09:10:43.000-06:00
diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml
@@ -71,6 +71,7 @@ spec:
             - NET_BIND_SERVICE
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
         volumeMounts:
@@ -80,6 +81,10 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
       securityContext:
@@ -92,3 +97,7 @@ spec:
         emptyDir: {}
       - name: nginx-run
         emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
diff --git a/conformance/tests/conformance-rbac.yaml b/conformance/tests/conformance-rbac.yaml
@@ -27,7 +27,6 @@ rules:
   - deployments
   verbs:
   - create
-  - update
   - delete
   - get
   - list
diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml
@@ -66,6 +66,7 @@ spec:
             - NET_BIND_SERVICE
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
         volumeMounts:
@@ -75,6 +76,10 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
       serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }}
       shareProcessNamespace: true
       securityContext:
@@ -87,4 +92,8 @@ spec:
         emptyDir: {}
       - name: nginx-run
         emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
 {{- end }}
diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml
@@ -172,6 +172,7 @@ spec:
             - NET_BIND_SERVICE
             drop:
             - ALL
+          readOnlyRootFilesystem: true
           runAsUser: 101
           runAsGroup: 1001
         volumeMounts:
@@ -181,6 +182,10 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
       securityContext:
@@ -193,6 +198,10 @@ spec:
         emptyDir: {}
       - name: nginx-run
         emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
 ---
 # Source: nginx-kubernetes-gateway/templates/gatewayclass.yaml
 apiVersion: gateway.networking.k8s.io/v1beta1

-Original file line number
+Diff line change
   - deployments
   verbs:
   - create
 -  - update
   - delete
   - get
   - list