Skip to content

A Kubewarden policy that enforces root filesystem to be readonly

License

Notifications You must be signed in to change notification settings

kubewarden/readonly-root-filesystem-psp-policy

Repository files navigation

Kubewarden Policy Repository Stable

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that enforces the usage of ReadOnlyRootFilesystems.

How the policy works

The policy inspects the securityContext of each container defined inside of a Pod and ensures all the containers have the readOnlyRootFilesystem attribute set to true.

The policy checks the both the pod.spec.containers and the init containers too.

Containers that do not have a securityContext defined are rejected too. That happens because, by default, the root filesystem of a container is considered to be writable.

Ephemeral containers are not checked because, by Kubernetes definition, they cannot have a securityContext.

Configuration

The policy doesn't have any configuration.