From cfa2406d621bf374835ecb727c73ee156aecc2e0 Mon Sep 17 00:00:00 2001
From: Phil Gebhardt <phil@gremlin.com>
Date: Thu, 4 Dec 2025 08:27:45 -0800
Subject: [PATCH] chao: hardcode readOnlyRootFilesystem=true

---
 gremlin/templates/chao-deployment.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gremlin/templates/chao-deployment.yaml b/gremlin/templates/chao-deployment.yaml
index 582b4b6..4459957 100644
--- a/gremlin/templates/chao-deployment.yaml
+++ b/gremlin/templates/chao-deployment.yaml
@@ -48,6 +48,8 @@ spec:
       imagePullSecrets:
       - name: {{ .Values.chaoimage.pullSecret }}
       {{- end }}
+      securityContext:
+        readOnlyRootFilesystem: true
       containers:
         - image: {{ .Values.chaoimage.repository }}:{{ .Values.chaoimage.tag }}
         {{- if .Values.resources }}