From c65a9baedf20d225db1dac7758741bf569c40578 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erik=20Inge=20Bols=C3=B8?= <erik.inge.bolso@nrk.no>
Date: Mon, 17 Jun 2019 14:03:33 +0200
Subject: [PATCH] specify ReadOnlyRootFilesystem: false for pod security
 policies (#560)

Explicitly specify ReadOnlyRootFilesystem: false so kubernetes can pick
a less restrictive policy the operator has access to.
---
 pkg/cluster/k8sres.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go
index 585cf2bed..0b2cb0c34 100644
--- a/pkg/cluster/k8sres.go
+++ b/pkg/cluster/k8sres.go
@@ -359,6 +359,8 @@ func generateContainer(
 	volumeMounts []v1.VolumeMount,
 	privilegedMode bool,
 ) *v1.Container {
+	falseBool := false
+
 	return &v1.Container{
 		Name:            name,
 		Image:           *dockerImage,
@@ -382,6 +384,7 @@ func generateContainer(
 		Env:          envVars,
 		SecurityContext: &v1.SecurityContext{
 			Privileged: &privilegedMode,
+			ReadOnlyRootFilesystem: &falseBool,
 		},
 	}
 }