Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: TRG 4.07: Read-Only Filesystem (DRAFT) #414

Merged
merged 20 commits into from
Nov 22, 2023
Merged

doc: TRG 4.07: Read-Only Filesystem (DRAFT) #414

Changes from 2 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
d271315
This is a TRG docs addition as announced by the consortia security te…
SSIRKC Oct 4, 2023
f4d8d31
Update trg-4-07.md
SSIRKC Oct 4, 2023
72306f7
Update trg-4-07.md
SSIRKC Oct 5, 2023
38af541
Update trg-4-07.md
SSIRKC Oct 5, 2023
aafb990
Update trg-4-07.md
SSIRKC Oct 5, 2023
009b95f
Update trg-4-07.md
SSIRKC Oct 5, 2023
ce46127
Update and rename trg-4-07.md to trg-4-7.md
SSIRKC Oct 6, 2023
507cb46
Update and rename trg-4-7.md to trg-4-07.md
SSIRKC Oct 6, 2023
25ffc11
Update trg-4-07.md
SSIRKC Oct 6, 2023
50b946a
Apply suggestions from code review
SSIRKC Oct 10, 2023
543c511
Update trg-4-07.md
SSIRKC Oct 10, 2023
b4f2932
Update trg-4-07.md
SSIRKC Oct 10, 2023
f6125e2
Update trg-4-07.md
SSIRKC Oct 10, 2023
62b9dc2
Update trg-4-07.md
SSIRKC Oct 10, 2023
6b92bad
Update trg-4-07.md
SSIRKC Oct 10, 2023
b22bec9
Update trg-4-07.md
SSIRKC Oct 10, 2023
9ca3b40
Update docs/release/trg-0/trg-4-07.md
SSIRKC Oct 11, 2023
8126f09
Update docs/release/trg-0/trg-4-07.md
SSIRKC Oct 17, 2023
5108f97
Update trg-4-07.md
SSIRKC Nov 9, 2023
e3ec298
Update trg-4-07.md
SSIRKC Nov 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/release/trg-4/trg-4-07.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
title: TRG 4.07 - Read-only filesystems
---

:::caution
Proposed release date: "mandatory after": 19th of May 2023
:::

| Status | Created | Post-History |
|------------|--------------|----------------------------------------|
| Draft | 03-Octo-2023 | Initial contribution |

## Why

A read-only root filesystem helps to limit the impact of a compromised container on a Kubernetes node. It is recommended to utilize read-only filesystems when possible. This prevents a malicious process or application from writing back to the host system. Read-only filesystems are a key component to preventing container breakout.

## Description

Whether this container has a read-only root filesystem. Default is false.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description should explain potentially more than just a read-only filesystem. like implications, best practices (what to do with log files, what to do in other cases)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the input! I will add to that


### Implementation

The container's **Pod resource file (yaml)** has to be modified to set rights to read-only.

Mounts the container's root filesystem as read-only:

```yaml
apiVersion: v1
kind: Pod
metadata:
name: read-only-fs
spec:
containers:

securityContext:
#read-only fs explicitly defined
readOnlyRootFilesystem: true
```