set readOnlyRootFilesystem: true for workloads (#2018)

Signed-off-by: Joe Lanford <[email protected]>

Author: joelanford

.tilt-support

@@ -67,6 +67,7 @@ COPY {} /
         live_update=[
             sync('.tiltbuild/bin/{}'.format(binary_name), '/{}'.format(binary_name)),
         ],
+        restart_file="/.tilt_restart_proc",
         # The command to run in the container.
         entrypoint=entrypoint,
     )

config/base/catalogd/manager/manager.yaml

@@ -52,8 +52,11 @@ spec:
         volumeMounts:
             - name: cache
               mountPath: /var/cache/
+            - name: tmp
+              mountPath: /tmp
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
               - ALL
@@ -80,3 +83,5 @@ spec:
       volumes:
         - name: cache
           emptyDir: {}
+        - name: tmp
+          emptyDir: {}

config/base/operator-controller/manager/manager.yaml

@@ -52,8 +52,11 @@ spec:
         volumeMounts:
           - name: cache
             mountPath: /var/cache
+          - name: tmp
+            mountPath: /tmp
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop:
               - "ALL"
@@ -69,8 +72,6 @@ spec:
             port: 8081
           initialDelaySeconds: 5
           periodSeconds: 10
-        # TODO(user): Configure the resources accordingly based on the project requirements.
-        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
         resources:
           requests:
             cpu: 10m
@@ -81,3 +82,5 @@ spec:
       volumes:
         - name: cache
           emptyDir: {}
+        - name: tmp
+          emptyDir: { }