enable readOnlyRootFilesystem on subscription addon pod (#384)

* enable readOnlyRootFilesystem on subscription addon pod Signed-off-by: Xiangjing Li <xiangli@redhat.com> * --amend Signed-off-by: Xiangjing Li <xiangli@redhat.com> --------- Signed-off-by: Xiangjing Li <xiangli@redhat.com>
open-cluster-management-io · Jan 29, 2024 · eb0f2b0 · eb0f2b0
1 parent 9b397c5
commit eb0f2b0
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/addon/manifests/chart/templates/deployment.yaml b/addon/manifests/chart/templates/deployment.yaml
@@ -63,7 +63,7 @@ spec:
           periodSeconds: 15
         securityContext:
           privileged: false
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           runAsNonRoot: true
           runAsUser: 1000
@@ -81,10 +81,14 @@ spec:
         volumeMounts:
           - name: klusterlet-config
             mountPath: /var/run/klusterlet
+          - mountPath: /tmp
+            name: tmp
       volumes:
         - name: klusterlet-config
           secret:
             secretName: {{ .Values.hubKubeConfigSecret }}
+        - emptyDir: {}
+          name: tmp
       {{- if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: "{{ .Values.global.imagePullSecret }}"

diff --git a/pkg/utils/gitrepo.go b/pkg/utils/gitrepo.go
@@ -263,7 +263,7 @@ func CloneGitRepo(cloneOptions *GitCloneOption) (commitID string, err error) {
 	options, err := getConnectionOptions(cloneOptions, true)
 
 	if err != nil {
-		klog.Error("Failed to get Git clone options with the primary channel. Trying the secondary channel.")
+		klog.Errorf("Failed to get Git clone options with the primary channel. Trying the secondary channel. err: %v", err)
 
 		usingPrimary = false
 	}
@@ -273,19 +273,20 @@ func CloneGitRepo(cloneOptions *GitCloneOption) (commitID string, err error) {
 	if err != nil {
 		if !usingPrimary {
 			// we could not get both primary and secondary Git connection options. return error
-			klog.Error("Failed to get Git clone options with the secondary channel.")
+			klog.Errorf("Failed to get Git clone options with the secondary channel. err: %v", err)
 			return "", err
 		}
 
-		klog.Warning("Failed to get Git clone options with the secondary channel.")
+		klog.Warning("Failed to get Git clone options with the secondary channel. err: %v", err)
 	}
 
 	// we could not get the connection options with the primary channel but we got it with the secondary channel. Use it instead
 	if !usingPrimary {
 		if secondaryOptions == nil {
 			// if trying the secondary connection option but nothing there, return error
 			// at this point, we have no Git connection options
-			return "", errors.New("failed to build git connection options")
+			klog.Error("failed to build secondary git connection options")
+			return "", errors.New("failed to build secondary git connection options")
 		}
 
 		options = secondaryOptions
@@ -320,6 +321,7 @@ func CloneGitRepo(cloneOptions *GitCloneOption) (commitID string, err error) {
 				return "", errors.New("Failed to clone git: " + secondaryOptions.URL + " branch: " + cloneOptions.Branch.String() + Error + err.Error())
 			}
 		} else {
+			klog.Errorf("failed to clone secondary git channel. err: %v", err)
 			return "", errors.New("Failed to clone git: " + options.URL + " branch: " + cloneOptions.Branch.String() + Error + err.Error())
 		}
 	}