From 6d206795c70efc70395147493b296582807c4a21 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@venafi.com>
Date: Tue, 31 Oct 2023 09:55:23 +0000
Subject: [PATCH] Enable readOnlyRootFilesystem by default

Signed-off-by: Richard Wall <richard.wall@venafi.com>
---
 deploy/charts/cert-manager/values.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml
index 4c78b062d..e5218d79d 100644
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@@ -181,7 +181,7 @@ containerSecurityContext:
   capabilities:
     drop:
     - ALL
-  # readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: true
   # runAsNonRoot: true
 
 
@@ -345,7 +345,7 @@ webhook:
     capabilities:
       drop:
       - ALL
-    # readOnlyRootFilesystem: true
+    readOnlyRootFilesystem: true
     # runAsNonRoot: true
 
   # Optional additional annotations to add to the webhook Deployment
@@ -548,7 +548,7 @@ cainjector:
     capabilities:
       drop:
       - ALL
-    # readOnlyRootFilesystem: true
+    readOnlyRootFilesystem: true
     # runAsNonRoot: true
 
 
@@ -658,7 +658,7 @@ startupapicheck:
     capabilities:
       drop:
       - ALL
-    # readOnlyRootFilesystem: true
+    readOnlyRootFilesystem: true
     # runAsNonRoot: true
 
   # Timeout for 'kubectl check api' command