From bb7b973258f02236d0d4f35bc87f2086cd4f4174 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Wed, 28 Nov 2018 12:17:08 -0600
Subject: [PATCH] Nova: Mount cgroups read only

This PS updates the mount options for the nova-compute pod to mount
cgroups as read only within the pod.

Change-Id: I82e958c2865029cd4a093f62614a1e878075098a
Signed-off-by: Pete Birley <pete@port.direct>
---
 nova/templates/daemonset-compute.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 850f0b00a8..aa4b27ccc6 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -248,6 +248,7 @@ spec:
               mountPath: /run
             - name: cgroup
               mountPath: /sys/fs/cgroup
+              readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
             - name: machine-id