read-only root filesystem

Definition

A read-only root filesystem is a security measure that restricts write access to the root filesystem of an operating system or container. This configuration helps prevent unauthorized modifications, such as the installation of malware or unauthorized changes to system files, thereby enhancing the overall security posture by ensuring that only explicitly allowed processes can write to specific directories.

Secure Settings Example

# Kubernetes Pod Security Context Example
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: example-image
    securityContext:
      readOnlyRootFilesystem: true

Insecure Settings Example

# Kubernetes Pod Security Context Example
apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: example-image
    securityContext:
      readOnlyRootFilesystem: false