id: k8s-readonly-rootfs

info:
  name: Pods with read-only root filesystem
  author: princechaddha
  severity: medium
  description: Checks for pods and containers running with a read-only root filesystem to prevent modifications to the filesystem, enhancing security.
  impact: |
    Running containers with a read-only root filesystem ensures that applications are not able to write to the filesystem or modify existing content. This is a common security practice to prevent malicious changes.
  remediation: |
    Configure all pods and containers to have their root filesystem set to read-only mode. This can be achieved by setting the securityContext.readOnlyRootFilesystem parameter to true in the pod or container configuration.
  reference:
    - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
  tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security

flow: |
  code(1);
  for (let pod of template.items) {
    set("pod", pod)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get pods --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[] | {pod: .metadata.name, containers: .spec.containers}'

javascript:
  - code: |
        let podData = JSON.parse(template.pod);
        podData.containers.forEach(container => {
          if (container.securityContext && container.securityContext.readOnlyRootFilesystem !== true) {
            let result = (`Container '${container.name}' in pod '${podData.pod}' is not running with a read-only root filesystem.`);
            Export(result);
          }
        });

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a004730450221008ab8295b6fd005e8c2e6adf415bc1afd2e4bf13da1309b9a1294010cd823ffb5022051261a124e174fb71b23d17a6e1cc22aad6096bfd8b57d0d73370257f852890d:922c64590222798bb761d5b6d8e72950