Skip to content

jvanz/readonly-root-filesystem-psp-policy

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
hub.yml
hub.yml
 
 
metadata.yml
metadata.yml
 
 

Repository files navigation

Continuous integration License
Continuous integration License: Apache 2.0

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that enforces the usage of ReadOnlyRootFilesystems.

How the policy works

The policy inspects the securityContext of each container defined inside of a Pod and ensures all the containers have the readOnlyRootFilesystem attribute set to true.

The policy checks the both the pod.spec.containers and the init containers too.

Containers that do not have a securityContext defined are rejected too. That happens because, by default, the root filesystem of a container is considered to be writable.

Ephemeral containers are not checked because, by Kubernetes definition, they cannot have a securityContext.

Configuration

The policy doesn't have any configuration.

Obtain policy

The policy is automatically published as an OCI artifact inside of this container registry.

Using the policy

The easiest way to use this policy is through the kubewarden-controller.

About

A Kubewarden policy that enforces root filesystem to be readonly

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages

  • Rust 91.7%
  • Makefile 8.3%