Skip to content

Set readOnlyRootFilesystem for deployments to true #1534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dkwon17 merged 1 commit into from
Nov 10, 2025
Merged

Set readOnlyRootFilesystem for deployments to true #1534

dkwon17 merged 1 commit into from
Nov 10, 2025
+15 −0

Conversation

@dkwon17
Copy link
Collaborator

@dkwon17 dkwon17 commented Nov 5, 2025
edited
Loading

What does this PR do?

Sets the securityContext.readOnlyRootFilesystem field to true for the controller and webhook deployments.

What issues does this PR fix or reference?

Is it tested? How?

Checkout the PR branch, and run the changes in a cluster:

make install WAIT=true

Verify that the devworkspace-controller-manager and devworkspace-webhook-server deployments have:

securityContext.readOnlyRootFilesystem: true

in their container definitions.

Verify that workspaces can start, stop without issue.

PR Checklist

  • E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
    • v8-devworkspace-operator-e2e: DevWorkspace e2e test
    • v8-che-happy-path: Happy path for verification integration with Che

@dkwon17
Set readOnlyRootFilesystem for deployments to true
1ff308a 
Signed-off-by: David Kwon <dakwon@redhat.com>
@openshift-ci openshift-ci bot added the approved label Nov 5, 2025
tolusha
tolusha reviewed Nov 6, 2025
View reviewed changes
deploy/templates/components/manager/manager.yaml
memory: 100Mi
securityContext:
readOnlyRootFilesystem: true
env:
Copy link
Contributor

@tolusha tolusha Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please shed some light on what this fix addresses?

@rohanKanojia
Copy link
Member

rohanKanojia commented Nov 6, 2025

I tested this PR, and it seems to work as expected.

  • devworkspace-webhook-server and devworkspace-controller-manager Deployments have readOnlyRootFilesystem: true ✔️ :
oc get deploy devworkspace-controller-manager -o yaml | grep -A2 readOnlyRootFilesystem    
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File

 oc get deploy devworkspace-webhook-server -o yaml | grep -A2 readOnlyRootFilesystem       
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File

  • Restarting DevWorkspace multiple times works as expected ✔️

  • Basic DevWorkspace testing flow seems to be working ✔️

    • DevWorkspace code-latest applied
    • DevWorkspace code-latest is running
    • Project clone logs are accessible
    • Files modified in workspace
    • Workspace stopped and restarted and is running
    • Changes are still intact after restart
    • Secondary devworkspace created
    • First devworkspace deleted
    • PVC contains only content for second workspace

@openshift-ci openshift-ci bot added the lgtm label Nov 6, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 6, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dkwon17, rohanKanojia

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dkwon17 dkwon17 merged commit 0f44d42 into devfile:main Nov 10, 2025
11 checks passed
@rohanKanojia rohanKanojia modified the milestone: v0.38.x Nov 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tolusha tolusha tolusha left review comments

@rohanKanojia rohanKanojia rohanKanojia approved these changes

@ibuziuk ibuziuk Awaiting requested review from ibuziuk ibuziuk is a code owner

@akurinnoy akurinnoy Awaiting requested review from akurinnoy akurinnoy is a code owner

Assignees

@rohanKanojia rohanKanojia

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dkwon17 @rohanKanojia @tolusha