Kubernetes pod security policies enable fine-grained controls around pod creation and updates. securityContext defines a set of restraints on the runtime of a pod.
readOnlyRootFilesystem is one setting that controls whether a container is able to write into its filesystem. It’s a feature most want enabled in the event of a hack - if an attacker gets in, they won’t be able to tamper with the application or write foreign executables to disk.
Kubernetes security best practices provide guidance on configuring ReadOnlyRootFilesystem for a pod or container. So while the feature is essential for Kubernetes security, what happens if your users haven’t deployed a pod with the securityContext set to readOnlyRootFilesystem? Best case scenario, your team identifies this and applies the policy, worst case scenario your pods are hacked. Probably best to identify those pods not running as read only.
Automated Checks for notReadOnlyRootFilesystem
Manually checking each pod for its securityContext is prone to human error and time-consuming. Automating this process using policy enforcement tooling can help reduce Kubernetes security risks.
Fairwinds Insights is a policy-driven configuration validation platform (community version is free to use) that allows teams responsible for Kubernetes to identify when an improper security context has been set.
Fairwinds Insights community edition is free to use forever. Try the full edition for 30 days by signing up here. Test in GKE, AKS or EKS or run on a test cluster.
A SaaS solution, Fairwinds Insights automatically scans, based on your requirements, clusters to check for missing security context. Your team saves time identifying and tracking the privileged containers and is able to use that time to remediate the problem.
Once the Fairwinds Insights agent is installed you’ll get results in 5-10 minutes. Fairwinds Insights will provide a warning when securityContext.readOnlyRootFilesystem is not true. You can also use Fairwinds Insights to ensure throughout your deployment process policy is enforced so that security context is set for every pod. By doing so, you’ll reduce the risk of security incidents by scanning your configuration from CI/CD to production. The policy-driven configuration validation platform ensures that Kubernetes security best practices are followed organization-wide.