Control: StatefulSet containers should run with a read only root file system
Description
Containers in a StatefulSet should always run with a read only root file system. Using an immutable root filesystem and a verified boot mechanism prevents against attackers from owning the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.statefulset_immutable_container_filesystemSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.statefulset_immutable_container_filesystem --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then 'ok' else 'alarm' end as status, case when (c -> 'securityContext' ->> 'readOnlyRootFilesystem')::bool then c ->> 'name' || ' running with read-only root file system.' else c ->> 'name' || ' not running with read-only root file system.' end as reason, name as stateful_set_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_stateful_set, jsonb_array_elements(template -> 'spec' -> 'containers') as c;