Use Read-Only filesystem for containers where possible
Error: Read-Only filesystem for containers is not used
Bridgecrew Policy ID: BC_K8S_21
Checkov Check ID: CKV_K8S_22
Severity: LOW
Read-Only filesystem for containers is not used
Description
A read-only root filesystem helps to enforce an immutable infrastructure strategy. The container should only write on mounted volumes that can persist, even if the container exits.
Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
Fix - Buildtime
Kubernetes
- Resource: Container
- Argument: readOnlyRootFilesystem (Optional)
Defines whether a container is able to write into the root filesystem. Default to false.
apiVersion: v1
kind: Pod
metadata:
name: <Pod name>
spec:
containers:
- name: <container name>
image: <image>
securityContext:
+ readOnlyRootFilesystem: true
Updated 10 months ago