github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/general/file_system_not_read_only.rego (about) 1 # METADATA 2 # title: "Root file system is not read-only" 3 # description: "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/ 9 # custom: 10 # id: KSV014 11 # avd_id: AVD-KSV-0014 12 # severity: LOW 13 # short_code: use-readonly-filesystem 14 # recommended_action: "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'." 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KSV014 19 20 import data.lib.kubernetes 21 22 default failReadOnlyRootFilesystem = false 23 24 # getReadOnlyRootFilesystemContainers returns all containers that have 25 # securityContext.readOnlyFilesystem set to true. 26 getReadOnlyRootFilesystemContainers[container] { 27 container := kubernetes.containers[_] 28 container.securityContext.readOnlyRootFilesystem == true 29 } 30 31 # getNotReadOnlyRootFilesystemContainers returns all containers that have 32 # securityContext.readOnlyRootFilesystem set to false or not set at all. 33 getNotReadOnlyRootFilesystemContainers[container] { 34 container := kubernetes.containers[_] 35 not getReadOnlyRootFilesystemContainers[container] 36 } 37 38 deny[res] { 39 output := getNotReadOnlyRootFilesystemContainers[_] 40 msg := kubernetes.format(sprintf("Container '%s' of %s '%s' should set 'securityContext.readOnlyRootFilesystem' to true", [output.name, kubernetes.kind, kubernetes.name])) 41 res := result.new(msg, output) 42 }