read-only rootfs

Jan 1, 0001

Definition

A read-only root filesystem (rootfs) is a security measure that restricts write access to the root filesystem of a container or virtual machine, thereby preventing unauthorized modifications to critical system files. This approach enhances security by reducing the attack surface and mitigating the risk of persistent malware infections or accidental changes that could compromise system integrity. It is commonly used in environments where immutability and consistency are critical, such as in containerized applications and embedded systems.

Secure Settings Example

# Kubernetes PodSecurityContext example
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  containers:
  - name: secure-container
    image: my-secure-image:latest
    securityContext:
      readOnlyRootFilesystem: true

Insecure Settings Example

# Kubernetes PodSecurityContext example with read-only rootfs disabled
apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: my-insecure-image:latest
    securityContext:
      readOnlyRootFilesystem: false

read-only rootfs

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter