Enforce Read Only Root Filesystem 1.0.4

Enforces that containers cannot write to their root filesystems. Applications should not require to write to the container filesystem. Otherwise, an attacker can modify the configuration, change binaries and download further exploits or malware. It is recommended to use dedicated volume mounts instead, if the application or service needs to persist data on disk. Container logs, however, should be written to stdout or to a log forwarder and not written into a file at all.

To mitigate this risk, make sure to set readOnlyRootFilesystem: true in your manifests.


Note that this policy is part of the following security standards:

  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.5.5
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A24
  • nsa/kubernetes: Kubernetes Hardening Guidance v1.0: Immutable container file systems
  • Security
  • bsi/containerization
  • nist/SP.800-190
  • nsa/kubernetes

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
            - containerPort: 80
+         securityContext:
+           readOnlyRootFilesystem: true

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.enforcereadonlyrootfilesystem as on the example below.
apiVersion: apps/v1
kind: Deployment
metadata:
  name: your-deployment
  annotations:
    securitytower.io/policy.exclusion.enforcereadonlyrootfilesystem: |-
      This container needs write acces to directory x. It can't be replaced with a volume, because...
...