Minimize the admission of containers to RootFilesystem (PSP)

This controls whether a container will be able to write into the root filesystem. It is common that the containers only need to write on mounted volumes that persist the state, as their root filesystem is supposed to be immutable. You can enforce this behavior using the readOnlyRootFilesystem flag.

Risk Level: High
Cloud Entity: Pod Security Policies
CloudGuard Rule ID: D9.K8S.IAM.39
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesPodSecurityPolicy should have spec.readOnlyRootFilesystem = true

REMEDIATION

Ensure the readOnlyRootFilesystem flag is set to true inside the PSP.

Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Compliance Frameworks

  • Kubernetes v.1.14 CloudGuard Best Practices