Updated on 2024-02-01 GMT+08:00

k8spspreadonlyrootfilesystem

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter

    exemptImages: String array

Function

This policy restricts the readOnlyRootFilesystem field in PodSecurityPolicy.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]

Resource Definition That Complies with the Policy

In the example, the value of the readOnlyRootFilesystem field is true, which complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-readonlyrootfilesystem-allowed
  labels:
    app: nginx-readonlyrootfilesystem
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      readOnlyRootFilesystem: true

Resource Definition That Does Not Comply with the Policy

In the example, the value of the readOnlyRootFilesystem field is false, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-readonlyrootfilesystem-disallowed
  labels:
    app: nginx-readonlyrootfilesystem
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      readOnlyRootFilesystem: false