From 239c04d60dc4f7f0e31d0fbec2fac145d1a9f297 Mon Sep 17 00:00:00 2001 From: Tamer Tas Date: Tue, 17 May 2016 09:42:55 +0300 Subject: [PATCH] Use read-only root filesystem capabilities of appc & rkt --- pkg/kubelet/rkt/rkt.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go index 9e310ae5c78..5f6916cb16b 100644 --- a/pkg/kubelet/rkt/rkt.go +++ b/pkg/kubelet/rkt/rkt.go @@ -764,9 +764,10 @@ func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, c api.Container, pullSecrets [ } ra := appcschema.RuntimeApp{ - Name: convertToACName(c.Name), - Image: appcschema.RuntimeImage{ID: *hash}, - App: imgManifest.App, + Name: convertToACName(c.Name), + Image: appcschema.RuntimeImage{ID: *hash}, + App: imgManifest.App, + ReadOnlyRootFS: *c.SecurityContext.ReadOnlyRootFilesystem, Annotations: []appctypes.Annotation{ { Name: *appctypes.MustACIdentifier(k8sRktContainerHashAnno),