mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00
Code Activity
kyverno/samples/RequireReadOnlyFS.md
Jim Bugwadia 9bbcbb29af reorganize samples
2019-10-23 14:45:27 -07:00

840 B
Raw Blame History

Require Read-only root filesystem

A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system.

Policy YAML

require_readonly_rootfilesystem.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-readonly-rootfilesystem
spec:
  rules:
  - name: validate-readonly-rootfilesystem
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Container require read-only rootfilesystem"
      pattern:
        spec:
          containers:
          - securityContext:
              readOnlyRootFilesystem: true