MGMT-22200: Add readOnlyRootFilesystem security constrain in CAPI providers

[rivkyrizel]

Add readOnlyRootFilesystem: true to the securityContext of manager containers in bootstrap and
controlplane providers to enhance security posture by preventing runtime modifications to the
container filesystem, following Kubernetes security best practices.

Summary by CodeRabbit

• Chores
  • Enhanced security hardening by enabling read-only root filesystem across deployment configurations, strengthening container immutability and reducing potential attack surface for bootstrap and control plane components.

[openshift-ci-robot]

@rivkyrizel: This pull request references MGMT-22200 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

In response to this:

Add readOnlyRootFilesystem: true to the securityContext of manager containers in bootstrap and
controlplane providers to enhance security posture by preventing runtime modifications to the
container filesystem, following Kubernetes security best practices.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rivkyrizel
Once this PR has been reviewed and has the lgtm label, please assign gamli75 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Security hardening applied across bootstrap and controlplane deployment configurations by adding readOnlyRootFilesystem: true to container securityContexts. Four YAML files modified with consistent enforcement of filesystem immutability for enhanced container isolation.

Changes

Cohort / File(s)	Change Summary
Bootstrap Configurations bootstrap-components.yaml, bootstrap/config/manager/manager.yaml	Adds readOnlyRootFilesystem: true to container securityContext for filesystem immutability
Controlplane Configurations controlplane-components.yaml, controlplane/config/manager/manager.yaml	Adds readOnlyRootFilesystem: true to container securityContext for filesystem immutability

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

This consists of homogeneous, repetitive configuration changes with no logic modifications or control-flow alterations. All four files receive the identical security hardening treatment.

Suggested labels

size/L

Suggested reviewers

• eranco74

Poem

🐰 Filesystems locked down tight,
Read-only roots, a security delight,
Bootstrap and controlplane aligned,
Immutable containers, peace of mind!
✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding readOnlyRootFilesystem security constraints to CAPI providers, which matches the actual modifications across all four configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 17095fc and 72ad6c7.

📒 Files selected for processing (4)

• bootstrap-components.yaml (1 hunks)
• bootstrap/config/manager/manager.yaml (1 hunks)
• controlplane-components.yaml (1 hunks)
• controlplane/config/manager/manager.yaml (1 hunks)

🔇 Additional comments (6)

controlplane/config/manager/manager.yaml (1)

31-36: Security hardening looks good.

The addition of readOnlyRootFilesystem: true strengthens the security posture alongside existing constraints (allowPrivilegeEscalation: false, capabilities.drop: [ALL]). Since this container doesn't mount any volumes, the read-only constraint should not impede normal operation.

bootstrap/config/manager/manager.yaml (2)

36-41: Verify temporary file handling with read-only filesystem.

The security context now enforces readOnlyRootFilesystem: true while the container mounts a secret volume for webhook certificates. While certificate handling is compatible with read-only filesystems, confirm that the manager application doesn't need to write temporary files to /tmp or other paths. If temporary file writing is required, consider adding an emptyDir mount at /tmp.

---

61-69: Certificate volume mount is compatible with read-only filesystem.

The webhook certificate secret is mounted read-only, which aligns well with the new readOnlyRootFilesystem: true constraint.

controlplane-components.yaml (1)

942-947: Security hardening applied consistently.

The addition of readOnlyRootFilesystem: true complements the existing security constraints. Since this manager container doesn't mount any volumes, the read-only constraint should not cause functional issues.

bootstrap-components.yaml (2)

810-815: Verify temporary file handling for webhook operations.

With readOnlyRootFilesystem: true and the webhook certificate secret mounted read-only, confirm the manager application doesn't attempt to write temporary files during webhook validation (lines 852-878 define validation webhooks). If temporary file writes are needed, add an emptyDir mount at /tmp.

---

816-826: Certificate and webhook infrastructure compatible with read-only filesystem.

The secret mount and pod-level runAsNonRoot: true are appropriately configured alongside the read-only filesystem constraint.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Welcome @rivkyrizel! It looks like this is your first PR to openshift-assisted/cluster-api-provider-openshift-assisted 🎉

[openshift-ci]

Hi @rivkyrizel. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@rivkyrizel: This pull request references MGMT-22200 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

In response to this:

Add readOnlyRootFilesystem: true to the securityContext of manager containers in bootstrap and
controlplane providers to enhance security posture by preventing runtime modifications to the
container filesystem, following Kubernetes security best practices.

Summary by CodeRabbit

• Chores
• Enhanced security hardening by enabling read-only root filesystem across deployment configurations, strengthening container immutability and reducing potential attack surface for bootstrap and control plane components.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.