Skip to content

Read-Only filesystem for containers is not used

Description

A read-only root filesystem helps to enforce an immutable infrastructure strategy. The container should only write on mounted volumes that can persist, even if the container exits.

Using an immutable root filesystem and a verified boot mechanism prevents against attackers from "owning" the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Argument: readOnlyRootFilesystem (Optional)
    Defines whether a container is able to write into the root filesystem. Default to false.
apiVersion: v1
kind: Pod
metadata:
  name: <Pod name>
spec:
  containers:
  - name: <container name>
    image: <image>
    securityContext:
+      readOnlyRootFilesystem: true