Benchmark: Containers should run with a read only root file system
Description
Containers should always run with a read only root file system. Using an immutable root filesystem and a verified boot mechanism prevents against attackers from owning the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Containers should run with a read only root file system.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_immutable_container_filesystemSnapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_immutable_container_filesystem --shareControls
- CronJob containers should run with a read only root file system
- DaemonSet containers should run with a read only root file system
- Deployment containers should run with a read only root file system
- Job containers should run with a read only root file system
- Pod containers should run with a read only root file system
- Pod Security Policy should force containers to run with read-only root file system
- ReplicaSet containers should run with a read only root file system
- ReplicationController containers should run with a read only root file system
- StatefulSet containers should run with a read only root file system