Root container not mounted as read-only

This product is not supported for your selected Datadog site. ().

Metadata

Id: a9c2f49d-0671-4fc9-9ece-f4e261e128d0

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Low

Category: Build Process

Learn More

Description

The root container filesystem should be mounted as read-only. This rule checks both containers and initContainers and expects securityContext.readOnlyRootFilesystem to be set to true for each container. It reports IncorrectValue when the field is present and false, and MissingAttribute when the field is undefined.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: goproxy
  labels:
    app: goproxy
spec:
  containers:
  - name: goproxy
    image: k8s.gcr.io/goproxy:0.1
    securityContext:
      readOnlyRootFilesystem: true

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: rootfalse
  labels:
    app: goproxy
spec:
  containers:
  - name: contain1_1
    image: k8s.gcr.io/goproxy:0.1
    securityContext:
      readOnlyRootFilesystem: false
---
apiVersion: v1
kind: Pod
metadata:
  name: noroot
  labels:
    app: goproxy
spec:
  containers:
  - name: contain1_2
    image: k8s.gcr.io/goproxy:0.1
    securityContext:
      someotherthing: true