From 7ffb40ca22bf3b0bcb02c921479937fb9abb048d Mon Sep 17 00:00:00 2001
From: eliranb <eliranb@lightrun.com>
Date: Sun, 25 May 2025 14:44:10 +0300
Subject: [PATCH] Add read-only root filesystem support to init containers in
 deployment and stateful set configurations

---
 internal/controller/patch_funcs.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/controller/patch_funcs.go b/internal/controller/patch_funcs.go
index 68365a7..6737883 100644
--- a/internal/controller/patch_funcs.go
+++ b/internal/controller/patch_funcs.go
@@ -141,6 +141,7 @@ func (r *LightrunJavaAgentReconciler) addInitContainer(deploymentApplyConfig *ap
 					).
 					WithAllowPrivilegeEscalation(false).
 					WithRunAsNonRoot(true).
+					WithReadOnlyRootFilesystem(true).
 					WithSeccompProfile(
 						corev1ac.SeccompProfile().
 							WithType(corev1.SeccompProfileTypeRuntimeDefault),
@@ -316,6 +317,7 @@ func (r *LightrunJavaAgentReconciler) addInitContainerToStatefulSet(statefulSetA
 					).
 					WithAllowPrivilegeEscalation(false).
 					WithRunAsNonRoot(true).
+					WithReadOnlyRootFilesystem(true).
 					WithSeccompProfile(
 						corev1ac.SeccompProfile().
 							WithType(corev1.SeccompProfileTypeRuntimeDefault),