Set "readOnlyRootFilesystem: true" in operator pod template to match operand

[jkyros]

• The operand's root is set to read only, but the operator isn't, which is causing things like the trivy scanner to complain about it as "severity high" misconfiguration:

   "Type": "Kubernetes Security Check",
              "ID": "KSV014",
              "AVDID": "AVD-KSV-0014",
              "Title": "Root file system is not read-only",
              "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.",
              "Message": "Container 'custom-metrics-autoscaler-operator' of Pod 'custom-metrics-autoscaler-operator-5b6fb58767-zmrvr' should set 'securityContext.readOnlyRootFilesystem' to true",
              "Namespace": "builtin.kubernetes.KSV014",
              "Query": "data.builtin.kubernetes.KSV014.deny",
              "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.",
              "Severity": "HIGH",
              "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014",
              "References": [
                "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/",
                "https://avd.aquasec.com/misconfig/ksv014"
              ],
              "Status": "FAIL",

• This just changes the readOnlyRootFilesystem setting to true in the pod templates (both the raw manifests and the CSV) to alleviate any possible security issue the writeable root fs may cause. It should have no impact whatsoever on the operation of the operator.

• I only changed the base template and the CSVs for 2.14.1 and 2.15.0, I figured it wasn't worth messing with all the old ones but I can go back further if need be

NOTE: I did re-run a trivy scan with a bundle built from this PR and this does fix the issue

Checklist

• [x] Commits are signed with Developer Certificate of Origin (DCO)

Fixes #

[joelsmith]

Looks good, but could you please also add it to https://github.com/jkyros/custom-metrics-autoscaler-operator/blob/fix-writeable-root-fs/bundle/manifests/keda.clusterserviceversion.yaml#L654 so that we have a consistent set of manifests across the repo? You can add it either by doing make bundle (which will also change a few other lines showing when it was created) or just editing by hand since it's just one line.

Even though the bundle dir really only gets used when testing, I like the idea of keeping it updated.

[jkyros]

Thanks! Great catch. I also re-ordered the field so it's at the bottom of the securityContext section -- I noticed the generators alphabetize the fields when they generate and I was naughty and hadn't.

[joelsmith]

LGTM!