Require Read-Only Root FS

A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system.

Policy Definition

/best-practices/require_ro_rootfs.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-ro-rootfs
  annotations:
    policies.kyverno.io/title: Require Read-Only Root FS
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/description: >-
      A read-only root file system helps to enforce an immutable infrastructure strategy; 
      the container only needs to write on the mounted volume that persists the state. 
      An immutable root filesystem can also prevent malicious binaries from writing to the 
      host system.
spec:
  validationFailureAction: audit
  rules:
  - name: validate-readOnlyRootFilesystem
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Root filesystem must be read-only."
      pattern:
        spec:
          containers:
          - securityContext:
              readOnlyRootFilesystem: true

Last modified January 2, 2021: fix title & sort and regen policies (fa7e171)