Root Container Not Mounted Read-only

• Query id: a9c2f49d-0671-4fc9-9ece-f4e261e128d0
• Query name: Root Container Not Mounted Read-only
• Platform: Kubernetes
• Severity: Low
• Category: Build Process
• CWE: 668
• URL: Github

Description

Check if the root container filesystem is not being mounted as read-only.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: rootfalse
  labels:
    app: goproxy
spec:
  containers:
  - name: contain1_1
    image: k8s.gcr.io/goproxy:0.1
    securityContext:
      readOnlyRootFilesystem: false
---
apiVersion: v1
kind: Pod
metadata:
  name: noroot
  labels:
    app: goproxy
spec:
  containers:
  - name: contain1_2
    image: k8s.gcr.io/goproxy:0.1
    securityContext:
      someotherthing: true

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: goproxy
  labels:
    app: goproxy
spec:
  containers:
  - name: goproxy
    image: k8s.gcr.io/goproxy:0.1
    securityContext:
      readOnlyRootFilesystem: true