From 3bcdc1aa0d9cd052f19cbbd63c8bb1a3ddfcc8e2 Mon Sep 17 00:00:00 2001
From: oraz <oraz@redhat.com>
Date: Mon, 14 Oct 2024 12:17:34 +0300
Subject: [PATCH 1/2] Set readOnlyRootFilesystem to true

An immutable root file system prevents applications from writing to their local disk
---
 config/manager/manager.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 6788499c..a218dbbf 100755
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -67,6 +67,7 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
             - "ALL"

From 58dd50a36b46a6cac256050ff152b7db9924c74b Mon Sep 17 00:00:00 2001
From: oraz <oraz@redhat.com>
Date: Mon, 14 Oct 2024 12:17:45 +0300
Subject: [PATCH 2/2] Run make bundle and apply changes to the bundle container

---
 .../node-maintenance-operator.clusterserviceversion.yaml         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bundle/manifests/node-maintenance-operator.clusterserviceversion.yaml b/bundle/manifests/node-maintenance-operator.clusterserviceversion.yaml
index 88d42b6e..d67bd94e 100755
--- a/bundle/manifests/node-maintenance-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/node-maintenance-operator.clusterserviceversion.yaml
@@ -283,6 +283,7 @@ spec:
                   capabilities:
                     drop:
                     - ALL
+                  readOnlyRootFilesystem: true
               priorityClassName: system-cluster-critical
               securityContext:
                 runAsNonRoot: true