dongjoon-hyun opened a new pull request, #743: URL: https://github.com/apache/spark-kubernetes-operator/pull/743
### What changes were proposed in this pull request? This PR aims to enable `readOnlyRootFilesystem` for the operator container in the Helm chart. Since the operator writes temporary files under `java.io.tmpdir` (SPARK-57918), an `emptyDir` volume is mounted at `/tmp`, following the existing `logs-volume` pattern. ### Why are the changes needed? A read-only root filesystem prevents tampering with the container image at runtime and completes the CIS Benchmark hardening on top of the existing restricted Pod Security Standard compliance. ### Does this PR introduce _any_ user-facing change? Yes. The operator container root filesystem becomes read-only by default; writable paths are provided via `emptyDir` volumes (`/tmp`, `/opt/spark-operator/logs`). Users can override `operatorDeployment.operatorPod.operatorContainer.securityContext` if needed. ### How was this patch tested? Pass the CIs. Also manually verified with `helm lint --strict` and `helm template`. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Fable 5 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
