Filesystem Writable

By default, containers are allowed to make modification to files. This unnecessary privilege increases the cluster attack surface as commonly containers do not need a writable filesystem.

Remediation

The following example makes the root file system read only.

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: app
        securityContext:
          readOnlyRootFilesystem: true

Metadata

Severity: informational
Slug: filesystem-writable

CWEs

269: Improper Privilege Management

OWASP

A04:2021: Insecure Design
A05:2021: Security Misconfiguration

Available Labs

Open Kubernetes labs in SecDim Play for this vulnerability.

easy

Rootfs.k8s

Other Easy Kubernetes Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.