Action Item: Checking for Read Only Filesystems

How to ensure filesystems are read only with Fairwinds Insights.


Hello, I'm Nung Bedell, a customer reliability engineer at Fairwinds. In this video, I'm going to take you through the file system should be read only Insights action item. By disabling access to the root file system, you're preventing an attacker from altering the configuration, installing software, or injecting malicious code. By default, Kubernetes runs containers with a writeable file system. However, Kubernetes workload should generally be stateless and should not need write access to the root file system.

If your workload needs to write files to disc, there are safer methods of doing so, and I will take you through one example.

In my terminal window, I am connected to a Kubernetes cluster. Here we have a simple manifest that deploys a pod that echos hello world to a file in /usr/hello.txt. I've added some wait time so that we can log in and verify that the file's written before the pod completes. Now, let's deploy. Let's check on our deployment. The pod is running. And let's shell into it. Let's list the user file system. And our file was written.

Now, here we have a similar manifest, but this time in lines 10 and 11, we've set a security context. We've made the root file system read only – readOnlyRootFilesystem:true. Now let's deploy that, get status, and the pod errors out because it cannot write hello.txt to /usr. Let's fix that. In line six through eight, we're adding a volume calling it data. We're now going to change, in line 12, where we're writing that hello.txt and we're going to write it to that new volume /data and leave the root file system access free. We're going to mount that data volume, and we're going to keep the security context of the root file system to be read only.

Let’s deploy that. Our status shows that it's running, and if we shell into the pod and list the root file system, we can see now that we have a directory called data. If we list it out, we see that our file is written there. Now, let's go into /usr and let's try to create a file. And we cannot because the root file system is now read only.

There you have it. We've just taken a pod that writes to the root file system and made it more secure. We've configured the pod to have a read only file system, added a writeable volume, and redirected the container to write to that safer location.

Thanks for watching.