ArmoBest, NSA, YAML-scanning, AllControls
By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true.
Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: containers: - name: sec-ctx-demo image: busybox command: [ "sh", "-c", "sleep 1h" ] securityContext: readOnlyRootFilesystem : true #we check this is set to true
Updated about 2 months ago