Enforces that containers cannot write to their root filesystems. Applications should not require to write to the container filesystem. Otherwise, an attacker can modify the configuration, change binaries and download further exploits or malware. It is recommended to use dedicated volume mounts instead, if the application or service needs to persist data on disk. Container logs, however, should be written to stdout or to a log forwarder and not written into a file at all.
To mitigate this risk, make sure to set readOnlyRootFilesystem: true
in your manifests.
Note that this policy is part of the following security standards:
nist/SP.800-190
: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.5.5bsi/containerization
: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A24nsa/kubernetes
: Kubernetes Hardening Guidance v1.0: Immutable container file systemsapiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
+ securityContext:
+ readOnlyRootFilesystem: true
securitytower.io/policy.exclusion.enforcereadonlyrootfilesystem
as on the example below.
apiVersion: apps/v1 kind: Deployment metadata: name: your-deployment annotations: securitytower.io/policy.exclusion.enforcereadonlyrootfilesystem: |- This container needs write acces to directory x. It can't be replaced with a volume, because... ...