C-0017 - Immutable container filesystem
Framework
WorkloadScan, security, ArmoBest, NSA, AllControls
Severity
Low
Description of the the issue
By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true.
Remediation
Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.
Example
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
readOnlyRootFilesystem : true #we check this is set to true
Updated 11 days ago