Require Read-Only Root Filesystem

A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`.

Policy Definition

/best-practices/require-ro-rootfs/require-ro-rootfs.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-ro-rootfs
 5  annotations:
 6    policies.kyverno.io/title: Require Read-Only Root Filesystem
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices, PSP Migration
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      A read-only root file system helps to enforce an immutable infrastructure strategy;
13      the container only needs to write on the mounted volume that persists the state.
14      An immutable root filesystem can also prevent malicious binaries from writing to the
15      host system. This policy validates that containers define a securityContext
16      with `readOnlyRootFilesystem: true`.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21  - name: validate-readOnlyRootFilesystem
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27    validate:
28      message: "Root filesystem must be read-only."
29      pattern:
30        spec:
31          containers:
32          - securityContext:
33              readOnlyRootFilesystem: true

Create policy issue