Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Story Points:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
cert-manager-operator v1.18.0 release
Intelligence Requested:
Market:

Sprint:
OAPE Sprint 275
sprint_count:
1

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

All cert-manager operands containers are applied with "readOnlyRootFilesystem: true" in their securityContext (aligned with upstream natively):

But the operator controller-manager is not:

https://github.com/openshift/cert-manager-operator/blob/bb69f735ac8611d97b02d012d6f99f0184a567a4/config/manager/manager.yaml#L101-L109

As called out in OCPSTRAT-2045, it's a common hardening recommendation to set readOnlyRootFilesystem to true, which ensures that the container's root filesystem is mounted as read-only.

Acceptance criteria

Validate the operator pod container if has this field set correctly after installation.
Verify effective behavior inside the running container. (oc exec -it – touch /etc/testfile should error out).
Ensure existing e2es in operator repo and QE CI not being broken.

is triggered by

OCPSTRAT-2045 Configure containers to set readOnlyRootFilesystem to true [starting in OCP 4.20]

In Progress

links to

openshift/cert-manager-operator#300: CM-674: Enable ReadOnly Root Filesystem for operator controller

Assignee:: Yuedong Wu

Reporter:: Yuedong Wu

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/07/27 5:56 AM

Updated:: 2025/08/19 12:54 PM

Resolved:: 2025/08/14 12:51 PM

Details

Description

Acceptance criteria

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates