doc: TRG 4.07: Read-Only Filesystem (DRAFT)

docs/release/trg-0/trg-4-07.md

@@ -0,0 +1,42 @@
+---
+title: TRG 4.07 - Read-only filesystems 
+---
+
+:::caution
+Proposed release date: 01st of Nov 2023
+:::
+
+| Status     | Created      | Post-History                           |
+|------------|--------------|----------------------------------------|
+| Draft      | 03-Octo-2023 | Initial contribution                   |
+
+## Why
+
+The read-only root filesystem right can limit the impact of container compromise when set properly.
+This can prevent malicous processes or applications from writing back to the host file system.
+Such a setting can be an extra protection layer to prevent an attack.
+
+## Description
+
+The read-only filesystem configuration is defined in the deployment yaml. The security context parameters are assigned to the pod.
+This ensures that unpriviledged access cannot be abused to install malicous software of write to the file system. This control is by default false.
+Therefore it is to be considered for each deployment if the flag can be set to the recommended value "true". Only read in this case.
+
+### Implementation
+
+The container's **Pod resource file (yaml)** has to be modified to set rights to read-only.
+
+Mounts the container's root filesystem as read-only:
+
+```yaml
+apiVersion: v1  
+kind: Pod  
+metadata:  
+  name: read-only
+spec:  
+  containers:  
+
+  securityContext:  
+    #read-only and prevent writing to the root file system
+    readOnlyRootFilesystem: true
+```