☑️ Ensure each container has a read-only root filesystem

An immutable root filesystem prevents applications from writing to their local disk. This is desirable in the event of an intrusion as the attacker will not be able to tamper with the filesystem or write foreign executables to disk.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE

This rule will fail

If the key readOnlyRootFilesystem is not defined or set to false.

kind: Deployment
spec:
  containers:
    - name: myDeployment

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Ensure each container has a read-only root filesystem [1 occurrence]
💡 Incorrect value for key `readOnlyRootFilesystem` - set to 'true' to protect filesystem from potential attacks

How to fix this failure

Set the readOnlyRootFilesystem key with a value of true either at pod level or container level:

kind: Pod
spec:
  securityContext:
    readOnlyRootFilesystem: true

kind: Deployment
spec:
  containers:
    - name: myContainer
      securityContext:
        readOnlyRootFilesystem: true

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more