Use Read-Only filesystem for containers where possible

Error: Read-Only filesystem for containers is not used

Bridgecrew Policy ID: BC_K8S_21
Checkov Check ID: CKV_K8S_22
Severity: LOW

Read-Only filesystem for containers is not used

Description

A read-only root filesystem helps to enforce an immutable infrastructure strategy. The container should only write on mounted volumes that can persist, even if the container exits.

Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Argument: readOnlyRootFilesystem (Optional)
    Defines whether a container is able to write into the root filesystem. Default to false.
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
+      readOnlyRootFilesystem: true