From 52fe3214820f1f0c89c3055685aec71e884587be Mon Sep 17 00:00:00 2001
From: Yuwen Ma <yuwenma@google.com>
Date: Mon, 9 Dec 2024 22:37:10 +0000
Subject: [PATCH] chore: turn on readOnlyRootFilesystem for GKE add-on release'

---
 operator/config/gke-addon/manager_patch.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/operator/config/gke-addon/manager_patch.yaml b/operator/config/gke-addon/manager_patch.yaml
index 0430e08d2c..199b531f24 100644
--- a/operator/config/gke-addon/manager_patch.yaml
+++ b/operator/config/gke-addon/manager_patch.yaml
@@ -29,4 +29,7 @@
   value:
     postStart:
       exec:
-        command: ["./gke_addon_poststart"]
\ No newline at end of file
+        command: ["./gke_addon_poststart"]
+- op: add
+  path: /spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem
+  value: true
\ No newline at end of file