From ed2b82977bd3904a110a491df4b24d56ad078c06 Mon Sep 17 00:00:00 2001
From: Larry Rensing <lr699s@att.com>
Date: Thu, 25 May 2017 20:20:39 +0000
Subject: [PATCH] Make remaining volumeMounts readOnly
This cleanup adds a readOnly tag for the remaining volumeMounts
across the project.
Change-Id: I1035c075c2e0c6f2b1b76a14e45094ed4e90a879
---
glance/templates/job-bootstrap.yaml | 2 ++
horizon/templates/deployment.yaml | 3 +++
mariadb/templates/statefulset.yaml | 6 ++++++
mistral/templates/job-db-sync.yaml | 1 +
rabbitmq/templates/deployment.yaml | 4 ++++
5 files changed, 16 insertions(+)
diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml
index c1a40770b2..be72fde151 100644
--- a/glance/templates/job-bootstrap.yaml
+++ b/glance/templates/job-bootstrap.yaml
@@ -56,9 +56,11 @@ spec:
- name: glance-bin
mountPath: /tmp/bootstrap.sh
subPath: bootstrap.sh
+ readOnly: true
- name: glance-etc
mountPath: /etc/glance/glance-api.conf
subPath: glance-api.conf
+ readOnly: true
volumes:
- name: imagedir
emptyDir: {}
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index 3fa464e343..983dfbcad0 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -68,12 +68,15 @@ spec:
- name: startsh
mountPath: /tmp/start.sh
subPath: start.sh
+ readOnly: true
- name: horizon-etc
mountPath: /etc/apache2/sites-enabled/000-default.conf
subPath: horizon.conf
+ readOnly: true
- name: horizon-etc
mountPath: /etc/openstack-dashboard/local_settings
subPath: local_settings
+ readOnly: true
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
securityContext:
runAsUser: 0
diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml
index 0311e7905c..d1ca94da54 100644
--- a/mariadb/templates/statefulset.yaml
+++ b/mariadb/templates/statefulset.yaml
@@ -85,21 +85,27 @@ spec:
- name: mariadb-bin
mountPath: /tmp/readiness.sh
subPath: readiness.sh
+ readOnly: true
- name: mariadb-bin
mountPath: /tmp/start.sh
subPath: start.sh
+ readOnly: true
- name: mariadb-etc
mountPath: /etc/mysql/my.cnf
+ readOnly: true
subPath: my.cnf
- name: mariadb-etc
mountPath: /etc/mysql/conf.d/00-base.cnf
subPath: 00-base.cnf
+ readOnly: true
- name: mariadb-etc
mountPath: /etc/mysql/conf.d/20-override.cnf
subPath: 20-override.cnf
+ readOnly: true
- name: mariadb-etc
mountPath: /etc/mysql/conf.d/99-force.cnf
subPath: 99-force.cnf
+ readOnly: true
- name: mysql-data
mountPath: /var/lib/mysql
volumes:
diff --git a/mistral/templates/job-db-sync.yaml b/mistral/templates/job-db-sync.yaml
index cd11967547..2a17fd99cc 100644
--- a/mistral/templates/job-db-sync.yaml
+++ b/mistral/templates/job-db-sync.yaml
@@ -56,6 +56,7 @@ spec:
- name: mistral-bin
mountPath: /tmp/db-sync.sh
subPath: db-sync.sh
+ readOnly: true
volumes:
- name: pod-etc-mistral
emptyDir: {}
diff --git a/rabbitmq/templates/deployment.yaml b/rabbitmq/templates/deployment.yaml
index 07f4aef759..03061fe0fe 100644
--- a/rabbitmq/templates/deployment.yaml
+++ b/rabbitmq/templates/deployment.yaml
@@ -108,12 +108,16 @@ spec:
- name: rabbitmq-etc
mountPath: /etc/rabbitmq/enabled_plugins
subPath: enabled_plugins
+ readOnly: true
- name: rabbitmq-etc
mountPath: /etc/rabbitmq/erlang.cookie
subPath: erlang.cookie
+ readOnly: true
- name: rabbitmq-etc
mountPath: /etc/rabbitmq/rabbitmq-env.conf
subPath: rabbitmq-env.conf
+ readOnly: true
- name: rabbitmq-etc
mountPath: /etc/rabbitmq/rabbitmq.config
subPath: rabbitmq.config
+ readOnly: true