C-0017 - Immutable container filesystem

Immutable container filesystem


NSA, ArmoBest

Description of the the issue

By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true.


Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.


apiVersion: v1
kind: Pod
  name: security-context-demo
  - name: sec-ctx-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
      readOnlyRootFilesystem : true  #we check this is set to true

Did this page help you?