Finds containers which do not have a read-only filesystem.
kubeaudit rootfs [flags]
See Global Flags
$ kubeaudit rootfs -f "auditors/rootfs/fixtures/read-only-root-filesystem-nil.yml"
---------------- Results for ---------------
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset
namespace: read-only-root-filesystem-nil
--------------------------------------------
-- [error] ReadOnlyRootFilesystemNil
Message: readOnlyRootFilesystem is not set in container SecurityContext. It should be set to 'true'.
Metadata:
Container: container
If a container does not need to write files, it should be run with a read-only filesystem.
To run a container with a read-only filesystem, readOnlyRootFilesystem
should be set to true
in the container SecurityContext. The field defaults to false
so it must be explicitly set to true
to pass the rootfs
audit:
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: myContainer
securityContext:
readOnlyRootFilesystem: true
If a container needs to write files, an override label needs to be used so kubeaudit knows it is intentional. See Override Errors.
For more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
First, see the Introduction to Override Errors.
Override identifier: allow-read-only-root-filesystem-false
Container overrides have the form:
container.kubeaudit.io/[container name].allow-read-only-root-filesystem-false: ""
Pod overrides have the form:
kubeaudit.io/allow-read-only-root-filesystem-false: ""
Example of resource with rootfs
overridden for a specific container:
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
labels:
container.kubeaudit.io/myContainer.allow-read-only-root-filesystem-false: ""
spec:
containers:
- name: myContainer
securityContext:
readOnlyRootFilesystem: false
Example of resource with rootfs
overridden for a whole pod:
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
labels:
kubeaudit.io/allow-read-only-root-filesystem-false: ""
spec:
containers:
- name: myContainer
securityContext:
readOnlyRootFilesystem: false