Add readOnlyRootFilesystem=true to containers missing it

readOnlyRootFilesystem prevents containers from writing to the root filesystem,
reducing attack surface and improving security posture by limiting potential
malicious file modifications and ensuring immutable container runtime.

allowPrivilegeEscalation=false prevents containers from gaining additional
privileges beyond those initially granted, further hardening the security
posture by blocking privilege escalation attacks.

Signed-off-by: Federico Paolinelli <[email protected]>

Author: fedepaol

bindata/network/frr-k8s/frr-k8s.yaml

@@ -45,6 +45,10 @@ spec:
         emptyDir: {}
       - name: frr-status
         emptyDir: {}
+      - name: frr-lib
+        emptyDir: {}
+      - name: frr-tmp
+        emptyDir: {}
       - name: metrics-certs
         secret:
           secretName: frr-k8s-certs-secret
@@ -155,6 +159,8 @@ spec:
             mountPath: /etc/frr_reloader
       - name: frr
         securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             add:
             - NET_ADMIN
@@ -170,6 +176,10 @@ spec:
           mountPath: /var/run/frr
         - name: frr-conf
           mountPath: /etc/frr
+        - name: frr-lib
+          mountPath: /var/lib/frr
+        - name: frr-tmp
+          mountPath: /var/tmp/frr
         # The command is FRR's default entrypoint & waiting for the log file to appear and tailing it.
         # If the log file isn't created in 60 seconds the tail fails and the container is restarted.
         # This workaround is needed to have the frr logs as part of kubectl logs -c frr < controller_pod_name >.