Allow setting ReadOnlyRootFilesystem (#10560)

* Allow setting ReadOnlyRootFilesystem * Fixed formatting.
knative · Jan 18, 2021 · da1db84 · da1db84
1 parent 5fbe2f1
commit da1db84
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/pkg/apis/serving/fieldmask.go b/pkg/apis/serving/fieldmask.go
@@ -593,6 +593,7 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev
 
 	// Allowed fields
 	out.RunAsUser = in.RunAsUser
+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 
 	if config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext != config.Disabled {
 		out.RunAsGroup = in.RunAsGroup
@@ -603,7 +604,6 @@ func SecurityContextMask(ctx context.Context, in *corev1.SecurityContext) *corev
 	out.Capabilities = nil
 	out.Privileged = nil
 	out.SELinuxOptions = nil
-	out.ReadOnlyRootFilesystem = nil
 	out.AllowPrivilegeEscalation = nil
 	out.ProcMount = nil
 

diff --git a/pkg/apis/serving/fieldmask_test.go b/pkg/apis/serving/fieldmask_test.go
@@ -720,7 +720,8 @@ func TestPodSecurityContextMask_FeatureEnabled(t *testing.T) {
 func TestSecurityContextMask(t *testing.T) {
 	mtype := corev1.UnmaskedProcMount
 	want := &corev1.SecurityContext{
-		RunAsUser: ptr.Int64(1),
+		RunAsUser:              ptr.Int64(1),
+		ReadOnlyRootFilesystem: ptr.Bool(true),
 	}
 	in := &corev1.SecurityContext{
 		RunAsUser:                ptr.Int64(1),
@@ -754,9 +755,10 @@ func TestSecurityContextMask(t *testing.T) {
 func TestSecurityContextMask_FeatureEnabled(t *testing.T) {
 	mtype := corev1.UnmaskedProcMount
 	want := &corev1.SecurityContext{
-		RunAsGroup:   ptr.Int64(2),
-		RunAsNonRoot: ptr.Bool(true),
-		RunAsUser:    ptr.Int64(1),
+		RunAsGroup:             ptr.Int64(2),
+		RunAsNonRoot:           ptr.Bool(true),
+		RunAsUser:              ptr.Int64(1),
+		ReadOnlyRootFilesystem: ptr.Bool(true),
 	}
 	in := &corev1.SecurityContext{
 		AllowPrivilegeEscalation: ptr.Bool(true),