[bitnami/fluentd] Make volume mount read-only (#35038)

* [bitnami/fluentd] Make  volume mount read-only

Signed-off-by: Carlos Rodríguez Hernández <carlos.rodriguez-hernandez@broadcom.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com>

---------

Signed-off-by: Carlos Rodríguez Hernández <carlos.rodriguez-hernandez@broadcom.com>
Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com>
Co-authored-by: Bitnami Bot <bitnami.bot@broadcom.com>

.vib/fluentd/runtime-parameters.yaml

@@ -2,3 +2,5 @@ aggregator:
   enabled: true
 forwarder:
   enabled: true
+varlog:
+  readonly: false

bitnami/fluentd/CHANGELOG.md

@@ -1,8 +1,12 @@
 # Changelog
 
-## 7.1.9 (2025-06-14)
+## 7.2.0 (2025-07-14)
 
-* [bitnami/fluentd] :zap: :arrow_up: Update dependency references ([#34503](https://github.com/bitnami/charts/pull/34503))
+* [bitnami/fluentd] Make  volume mount read-only ([#35038](https://github.com/bitnami/charts/pull/35038))
+
+## <small>7.1.9 (2025-06-14)</small>
+
+* [bitnami/fluentd] :zap: :arrow_up: Update dependency references (#34503) ([e1a35fe](https://github.com/bitnami/charts/commit/e1a35fec9a34ab0542eb021f6038efdae00405f9)), closes [#34503](https://github.com/bitnami/charts/issues/34503)
 
 ## <small>7.1.8 (2025-05-15)</small>
 

bitnami/fluentd/Chart.yaml

@@ -32,4 +32,4 @@ maintainers:
 name: fluentd
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/fluentd
-version: 7.1.9
+version: 7.2.0

bitnami/fluentd/README.md

@@ -260,6 +260,7 @@ TLS for the Fluentd can be enabled by setting `tls.enabled=true`. The chart allo
 | `image.pullPolicy`                                             | Fluentd image pull policy                                                                                                                                                                                                               | `IfNotPresent`                                             |
 | `image.pullSecrets`                                            | Fluentd image pull secrets                                                                                                                                                                                                              | `[]`                                                       |
 | `image.debug`                                                  | Enable image debug mode                                                                                                                                                                                                                 | `false`                                                    |
+| `varlog.readonly`                                              | Set /var/log volume mount readOnly                                                                                                                                                                                                      | `true`                                                     |
 | `forwarder.enabled`                                            | Enable forwarder daemonset                                                                                                                                                                                                              | `true`                                                     |
 | `forwarder.daemonUser`                                         | Forwarder daemon user and group (set to root by default because it reads from host paths)                                                                                                                                               | `root`                                                     |
 | `forwarder.daemonGroup`                                        | Fluentd forwarder daemon system group                                                                                                                                                                                                   | `root`                                                     |

bitnami/fluentd/templates/forwarder-daemonset.yaml

@@ -281,6 +281,7 @@ spec:
             {{- end }}
             - name: varlog
               mountPath: /var/log
+              readOnly: {{ .Values.varlog.readonly }}
             - name: varlibdockercontainers
               mountPath: /var/lib/docker/containers
               readOnly: true

bitnami/fluentd/templates/forwarder-psp.yaml

@@ -23,6 +23,7 @@ spec:
     - pathPrefix: '/var/lib/docker/containers'
       readOnly: true
     - pathPrefix: '/var/log'
+      readOnly: {{ .Values.varlog.readonly }}
   volumes:
     - 'configMap'
     - 'emptyDir'

bitnami/fluentd/values.yaml

@@ -100,6 +100,13 @@ image:
   ## Enable debug mode
   ##
   debug: false
+
+## /var/log readonly
+## @param varlog.readonly Set /var/log volume mount readOnly
+##
+varlog:
+  readonly: true
+
 ## Forwarder parameters
 ##
 forwarder: