A read-only root filesystem helps to enforce an immutable infrastructure strategy. The container should only write on mounted volumes that can persist, even if the container exits.
Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
- Resource: Container
- Argument: readOnlyRootFilesystem (Optional)
Defines whether a container is able to write into the root filesystem. Default to false.
apiVersion: v1 kind: Pod metadata: name: <Pod name> spec: containers: - name: <container name> image: <image> securityContext: + readOnlyRootFilesystem: true
Updated 6 months ago