From 239c04d60dc4f7f0e31d0fbec2fac145d1a9f297 Mon Sep 17 00:00:00 2001
From: Tamer Tas <contact@tmrts.com>
Date: Tue, 17 May 2016 09:42:55 +0300
Subject: [PATCH] Use read-only root filesystem capabilities of appc & rkt

---
 pkg/kubelet/rkt/rkt.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go
index 9e310ae5c78..5f6916cb16b 100644
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@@ -764,9 +764,10 @@ func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, c api.Container, pullSecrets [
 	}
 
 	ra := appcschema.RuntimeApp{
-		Name:  convertToACName(c.Name),
-		Image: appcschema.RuntimeImage{ID: *hash},
-		App:   imgManifest.App,
+		Name:           convertToACName(c.Name),
+		Image:          appcschema.RuntimeImage{ID: *hash},
+		App:            imgManifest.App,
+		ReadOnlyRootFS: *c.SecurityContext.ReadOnlyRootFilesystem,
 		Annotations: []appctypes.Annotation{
 			{
 				Name:  *appctypes.MustACIdentifier(k8sRktContainerHashAnno),