Enforces that containers cannot write to their root filesystems. Applications should not require to write to the container filesystem. Otherwise, an attacker can modify the configuration, change binaries and download further exploits or malware. It is recommended to use dedicated volume mounts instead, if the application or service needs to persist data on disk. Container logs, however, should be written to stdout or to a log forwarder and not written into a file at all.
To mitigate this risk, make sure to set
readOnlyRootFilesystem: true in your manifests.
Note that this policy is part of the following security standards:
nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.5.5
bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A24
nsa/kubernetes: Kubernetes Hardening Guidance v1.0: Immutable container file systems
- name: nginx
- containerPort: 80
+ readOnlyRootFilesystem: true
securitytower.io/policy.exclusion.enforcereadonlyrootfilesystemas on the example below.
apiVersion: apps/v1 kind: Deployment metadata: name: your-deployment annotations: securitytower.io/policy.exclusion.enforcereadonlyrootfilesystem: |- This container needs write acces to directory x. It can't be replaced with a volume, because... ...