Skip to content
/ readonly-root-filesystem-psp-policy Public

A Kubewarden policy that enforces root filesystem to be readonly

kubewarden.io

License

Apache-2.0 license
2 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kubewarden/readonly-root-filesystem-psp-policy

BranchesTags

Repository files navigation

Kubewarden Policy Repository Stable

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that enforces the usage of ReadOnlyRootFilesystems.

How the policy works

The policy inspects the securityContext of each container defined inside of a Pod and ensures all the containers have the readOnlyRootFilesystem attribute set to true.

The policy checks the both the pod.spec.containers and the init containers too.

Containers that do not have a securityContext defined are rejected too. That happens because, by default, the root filesystem of a container is considered to be writable.

Ephemeral containers are not checked because, by Kubernetes definition, they cannot have a securityContext.

Configuration

The policy doesn't have any configuration.

About

A Kubewarden policy that enforces root filesystem to be readonly

kubewarden.io

Topics

kubernetes webassembly hacktoberfest policy-as-code pod-security-policy kubernetes-security kubewarden-policy

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

5 watching

Forks

3 forks
Report repository

Releases 7

Release v0.1.6 Latest
Jul 11, 2023
+ 6 releases

Packages

 
 
 

Contributors 8

Languages