2019-11-13 13:56:20 -08:00
|
|
|
apiVersion: kyverno.io/v1
|
2019-10-08 22:05:15 -07:00
|
|
|
kind: ClusterPolicy
|
|
|
|
|
metadata:
|
2019-11-09 16:18:33 -08:00
|
|
|
name: require-ro-rootfs
|
2019-10-11 18:57:16 -07:00
|
|
|
annotations:
|
2019-11-11 18:21:16 -08:00
|
|
|
policies.kyverno.io/category: Security
|
2019-10-14 16:33:19 -07:00
|
|
|
policies.kyverno.io/description: A read-only root file system helps to enforce an immutable
|
|
|
|
|
infrastructure strategy; the container only needs to write on the mounted volume that p
|
|
|
|
|
ersists the state. An immutable root filesystem can also prevent malicious binaries from
|
|
|
|
|
writing to the host system.
|
2019-10-08 22:05:15 -07:00
|
|
|
spec:
|
2020-08-19 14:04:58 -07:00
|
|
|
validationFailureAction: audit
|
2019-10-08 22:05:15 -07:00
|
|
|
rules:
|
2019-11-09 16:18:33 -08:00
|
|
|
- name: validate-readOnlyRootFilesystem
|
2019-10-08 22:05:15 -07:00
|
|
|
match:
|
|
|
|
|
resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Pod
|
|
|
|
|
validate:
|
2019-11-09 16:18:33 -08:00
|
|
|
message: "Root filesystem must be read-only"
|
2019-10-08 22:05:15 -07:00
|
|
|
pattern:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
- securityContext:
|
2019-10-08 22:09:58 -07:00
|
|
|
readOnlyRootFilesystem: true
|
