Require Read-Only Root Filesystem in CEL expressions

A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`.

Policy Definition

/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-ro-rootfs
 5  annotations:
 6    policies.kyverno.io/title: Require Read-Only Root Filesystem in CEL expressions
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices, PSP Migration in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kubernetes-version: "1.26-1.27"
11    policies.kyverno.io/minversion: 1.11.0
12    policies.kyverno.io/description: >-
13      A read-only root file system helps to enforce an immutable infrastructure strategy;
14      the container only needs to write on the mounted volume that persists the state.
15      An immutable root filesystem can also prevent malicious binaries from writing to the
16      host system. This policy validates that containers define a securityContext
17      with `readOnlyRootFilesystem: true`.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: validate-readOnlyRootFilesystem
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28          operations:
29          - CREATE
30          - UPDATE
31    validate:
32      cel:
33        expressions:
34          - expression: >-
35              object.spec.containers.all(container,
36              container.?securityContext.?readOnlyRootFilesystem.orValue(false) == true)
37            message: "Root filesystem must be read-only."
38

Create policy issue