2019-11-12 17:39:12 -08:00
# Require read-only root filesystem
2019-10-23 14:06:03 -07:00
2020-11-11 15:55:02 -05:00
A read-only root filesystem helps to enforce an immutable infrastructure strategy; the container only needs to write to mounted volumes that can persist state even if the container exits. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
2019-10-23 14:06:03 -07:00
2020-11-11 15:55:02 -05:00
## Policy YAML
2019-10-23 14:06:03 -07:00
2019-11-09 16:18:33 -08:00
[require_ro_rootfs.yaml ](best_practices/require_ro_rootfs.yaml )
2019-10-23 14:06:03 -07:00
````yaml
2019-11-13 13:56:20 -08:00
apiVersion: kyverno.io/v1
2019-10-23 14:06:03 -07:00
kind: ClusterPolicy
metadata:
2019-11-09 16:18:33 -08:00
name: require-ro-rootfs
2019-10-23 14:06:03 -07:00
spec:
2020-08-19 14:04:58 -07:00
validationFailureAction: audit
2019-10-23 14:06:03 -07:00
rules:
2019-11-09 16:18:33 -08:00
- name: validate-readOnlyRootFilesystem
2019-10-23 14:06:03 -07:00
match:
resources:
kinds:
- Pod
validate:
2019-11-09 16:18:33 -08:00
message: "Root filesystem must be read-only"
2019-10-23 14:06:03 -07:00
pattern:
spec:
containers:
- securityContext:
readOnlyRootFilesystem: true
2019-11-12 17:39:12 -08:00
````
