How the policy works

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that enforces the usage of ReadOnlyRootFilesystems.

How the policy works

The policy inspects the securityContext of each container defined inside of a Pod and ensures all the containers have the readOnlyRootFilesystem attribute set to true.

The policy checks the both the pod.spec.containers and the init containers too.

Containers that do not have a securityContext defined are rejected too. That happens because, by default, the root filesystem of a container is considered to be writable.

Ephemeral containers are not checked because, by Kubernetes definition, they cannot have a securityContext.

Configuration

The policy doesn't have any configuration.

Name		Name	Last commit message	Last commit date
Latest commit History 109 Commits
.github/workflows		.github/workflows
src		src
.gitignore		.gitignore
CODEOWNERS		CODEOWNERS
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
artifacthub-pkg.yml		artifacthub-pkg.yml
artifacthub-repo.yml		artifacthub-repo.yml
hub.yml		hub.yml
metadata.yml		metadata.yml
renovate.json		renovate.json

License

kubewarden/readonly-root-filesystem-psp-policy

Folders and files

Latest commit

History

Repository files navigation

How the policy works

Configuration

About

Topics

Resources

License

Stars

Watchers

Forks

Languages