CLOUDP-348828 - fixes Operator crash when securityContext.readOnlyRootFilesystem=true

[MaciejKaras]

Summary

Operator tries to create webhook server certificates in /tmp/k8s-webhook-server dir, but it is not mounted as a volume. When the securityContext.readOnlyRootFilesystem=true is set, the operator Pod crashes, because it cannot create the directory on read only root file system.

Fixes #485

Proof of Work

Passing CI.

Checklist

• Have you linked a jira ticket and/or is the ticket in the title?
• Have you checked whether your jira ticket required DOCSP changes?
• Have you added changelog file?
  • use skip-changelog label if not needed
  • refer to Changelog files and Release Notes section in CONTRIBUTING.md for more details

[github-actions]

⚠️ (this preview might not be accurate if the PR is not rebased on current master branch)

MCK 1.5.0 Release Notes

New Features

• Improve automation agent certificate rotation: the agent now restarts automatically when its certificate is renewed, ensuring smooth operation without manual intervention and allowing seamless certificate updates without requiring manual Pod restarts.

Bug Fixes

• To follow the Pod Security Standards more secure default pod securityContext settings were added.
  Operator deployment securityContext settings that have changed:

  • allowPrivilegeEscalation: false
  • capabilities.drop: [ ALL ]
  • seccompProfile.type: RuntimeDefault

  Other workloads:

  • capabilities.drop: [ ALL ] - container level
  • seccompProfile.type: RuntimeDefault - pod level

Note: If you require less restrictive securityContext settings please use template or podTemplate overrides.
Detailed information about overrides can be found in Modify Ops Manager or MongoDB Kubernetes Resource Containers.