Benchmark: Containers should run with a read only root file system
Description
Containers should always run with a read only root file system. Using an immutable root filesystem and a verified boot mechanism prevents against attackers from owning the machine through permanent local changes. An immutable root filesystem can also prevent malicious binaries from writing to the host system.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Containers should run with a read only root file system.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_immutable_container_filesystem
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_immutable_container_filesystem --share
Controls
- CronJob containers should run with a read only root file system
- DaemonSet containers should run with a read only root file system
- Deployment containers should run with a read only root file system
- Job containers should run with a read only root file system
- Pod containers should run with a read only root file system
- Pod Security Policy should force containers to run with read-only root file system
- ReplicaSet containers should run with a read only root file system
- ReplicationController containers should run with a read only root file system
- StatefulSet containers should run with a read only root file system