diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/artifacthub-pkg.yml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/artifacthub-pkg.yml new file mode 100644 index 0000000000..51b512840a --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.1 +name: k8spspreadonlyrootfilesystem +displayName: Read Only Root Filesystem +createdAt: "2024-08-26T22:42:23Z" +description: Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +digest: 29a934504c9589a3b88a923f0a52bc4e96ae585cbe5d8e6d8d342b6f8c86928d +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/read-only-root-filesystem +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Read Only Root Filesystem + Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/kustomization.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/kustomization.yaml new file mode 100644 index 0000000000..7d70d11b71 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/constraint.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/constraint.yaml new file mode 100644 index 0000000000..66d6bdabe9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPReadOnlyRootFilesystem +metadata: + name: psp-readonlyrootfilesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml new file mode 100644 index 0000000000..d0ce2c4dc5 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml new file mode 100644 index 0000000000..9c96bd18cd --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-allowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: true diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml new file mode 100644 index 0000000000..7571bfd9fb --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/update.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/update.yaml new file mode 100644 index 0000000000..b31ae5e3a8 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/psp-readonlyrootfilesystem/update.yaml @@ -0,0 +1,17 @@ +kind: AdmissionReview +apiVersion: admission.k8s.io/v1beta1 +request: + operation: "UPDATE" + object: + apiVersion: v1 + kind: Pod + metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem + spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/wildcard-support/constraint.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/wildcard-support/constraint.yaml new file mode 100644 index 0000000000..b5497e7611 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/samples/wildcard-support/constraint.yaml @@ -0,0 +1,12 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPReadOnlyRootFilesystem +metadata: + name: psp-readonlyrootfilesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + exemptImages: + - "*" diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/suite.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/suite.yaml new file mode 100644 index 0000000000..29b2d9aea9 --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/suite.yaml @@ -0,0 +1,47 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: read-only-root-filesystem +tests: +- name: require-read-only-root-filesystem + template: template.yaml + constraint: samples/psp-readonlyrootfilesystem/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-readonlyrootfilesystem/example_disallowed.yaml + assertions: + - violations: yes + message: "only read-only root filesystem container is allowed: nginx" + - name: example-allowed + object: samples/psp-readonlyrootfilesystem/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml + assertions: + - violations: yes + message: "only read-only root filesystem container is allowed: nginx" + - name: update + object: samples/psp-readonlyrootfilesystem/update.yaml + assertions: + - violations: no +- name: wildcard-support + template: template.yaml + constraint: samples/wildcard-support/constraint.yaml + cases: + - name: example-disallowed + object: samples/psp-readonlyrootfilesystem/example_disallowed.yaml + assertions: + - violations: no + - name: example-allowed + object: samples/psp-readonlyrootfilesystem/example_allowed.yaml + assertions: + - violations: no + - name: disallowed-ephemeral + object: samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml + assertions: + - violations: no + - name: update + object: samples/psp-readonlyrootfilesystem/update.yaml + assertions: + - violations: no diff --git a/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/template.yaml b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/template.yaml new file mode 100644 index 0000000000..01f264b03c --- /dev/null +++ b/artifacthub/library/pod-security-policy/read-only-root-filesystem/1.1.1/template.yaml @@ -0,0 +1,144 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8spspreadonlyrootfilesystem + annotations: + metadata.gatekeeper.sh/title: "Read Only Root Filesystem" + metadata.gatekeeper.sh/version: 1.1.1 + description: >- + Requires the use of a read-only root file system by pod containers. + Corresponds to the `readOnlyRootFilesystem` field in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems +spec: + crd: + spec: + names: + kind: K8sPSPReadOnlyRootFilesystem + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Requires the use of a read-only root file system by pod containers. + Corresponds to the `readOnlyRootFilesystem` field in a + PodSecurityPolicy. For more information, see + https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + code: + - engine: K8sNativeValidation + source: + variables: + - name: containers + expression: 'has(variables.anyObject.spec.containers) ? variables.anyObject.spec.containers : []' + - name: initContainers + expression: 'has(variables.anyObject.spec.initContainers) ? variables.anyObject.spec.initContainers : []' + - name: ephemeralContainers + expression: 'has(variables.anyObject.spec.ephemeralContainers) ? variables.anyObject.spec.ephemeralContainers : []' + - name: exemptImagePrefixes + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, image.endsWith("*")).map(image, string(image).replace("*", "")) + - name: exemptImageExplicit + expression: | + !has(variables.params.exemptImages) ? [] : + variables.params.exemptImages.filter(image, !image.endsWith("*")) + - name: exemptImageWildcard + expression: | + !has(variables.params.exemptImages) ? false : + variables.params.exemptImages.exists_one(image, string(image) == "*") + - name: exemptImages + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + container.image in variables.exemptImageExplicit || + variables.exemptImagePrefixes.exists(exemption, string(container.image).startsWith(exemption))) + - name: badContainers + expression: | + (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, + (!(container.image in variables.exemptImages) && !variables.exemptImageWildcard) && + (!has(container.securityContext) || + !has(container.securityContext.readOnlyRootFilesystem) || + container.securityContext.readOnlyRootFilesystem != true) + ).map(container, container.name) + validations: + - expression: '(has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0' + messageExpression: '"only read-only root filesystem container is allowed: " + variables.badContainers.join(", ")' + + - engine: Rego + source: + rego: | + package k8spspreadonlyrootfilesystem + + import data.lib.exclude_update.is_update + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + # spec.containers.readOnlyRootFilesystem field is immutable. + not is_update(input.review) + + c := input_containers[_] + not is_exempt(c) + input_read_only_root_fs(c) + msg := sprintf("only read-only root filesystem container is allowed: %v", [c.name]) + } + + input_read_only_root_fs(c) { + not has_field(c, "securityContext") + } + input_read_only_root_fs(c) { + not c.securityContext.readOnlyRootFilesystem == true + } + + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exclude_update + + is_update(review) { + review.operation == "UPDATE" + } + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/example_safe_image_prefix.yaml b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/example_safe_image_prefix.yaml new file mode 100644 index 0000000000..6c4c60d104 --- /dev/null +++ b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/example_safe_image_prefix.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-allowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: "safe-images.com/nginx" + securityContext: + readOnlyRootFilesystem: false diff --git a/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/example_unsafe_image_prefix.yaml b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/example_unsafe_image_prefix.yaml new file mode 100644 index 0000000000..563abb05f7 --- /dev/null +++ b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/example_unsafe_image_prefix.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-allowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: "unsafe-images.com/nginx" + securityContext: + readOnlyRootFilesystem: false diff --git a/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/full_wildcard_constraint.yaml b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/full_wildcard_constraint.yaml new file mode 100644 index 0000000000..b5497e7611 --- /dev/null +++ b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/full_wildcard_constraint.yaml @@ -0,0 +1,12 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPReadOnlyRootFilesystem +metadata: + name: psp-readonlyrootfilesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + exemptImages: + - "*" diff --git a/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/prefix_matching_constraint.yaml b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/prefix_matching_constraint.yaml new file mode 100644 index 0000000000..8bac931409 --- /dev/null +++ b/library/pod-security-policy/read-only-root-filesystem/samples/wildcard_support/prefix_matching_constraint.yaml @@ -0,0 +1,12 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPReadOnlyRootFilesystem +metadata: + name: psp-readonlyrootfilesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + exemptImages: + - "safe-images.com/*" diff --git a/library/pod-security-policy/read-only-root-filesystem/suite.yaml b/library/pod-security-policy/read-only-root-filesystem/suite.yaml index fb52faa007..ed73b49d70 100644 --- a/library/pod-security-policy/read-only-root-filesystem/suite.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/suite.yaml @@ -25,3 +25,23 @@ tests: object: samples/psp-readonlyrootfilesystem/update.yaml assertions: - violations: no +- name: full-wildcard + template: template.yaml + constraint: samples/wildcard_support/full_wildcard_constraint.yaml + cases: + - name: allow-normally-disallowed + object: samples/psp-readonlyrootfilesystem/example_disallowed.yaml + assertions: + - violations: no +- name: wildcard-suffix + template: template.yaml + constraint: samples/wildcard_support/prefix_matching_constraint.yaml + cases: + - name: image-with-exempt-prefix-readOnlyRootFilesystem-not-required + object: samples/wildcard_support/example_safe_image_prefix.yaml + assertions: + - violations: no + - name: image-with-different-prefix-must-set-readOnlyRootFilesystem + object: samples/wildcard_support/example_unsafe_image_prefix.yaml + assertions: + - violations: yes diff --git a/library/pod-security-policy/read-only-root-filesystem/template.yaml b/library/pod-security-policy/read-only-root-filesystem/template.yaml index 361ff999d5..01f264b03c 100644 --- a/library/pod-security-policy/read-only-root-filesystem/template.yaml +++ b/library/pod-security-policy/read-only-root-filesystem/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.1.0 + metadata.gatekeeper.sh/version: 1.1.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -55,6 +55,10 @@ spec: expression: | !has(variables.params.exemptImages) ? [] : variables.params.exemptImages.filter(image, !image.endsWith("*")) + - name: exemptImageWildcard + expression: | + !has(variables.params.exemptImages) ? false : + variables.params.exemptImages.exists_one(image, string(image) == "*") - name: exemptImages expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, @@ -63,7 +67,7 @@ spec: - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, - !(container.image in variables.exemptImages) && + (!(container.image in variables.exemptImages) && !variables.exemptImageWildcard) && (!has(container.securityContext) || !has(container.securityContext.readOnlyRootFilesystem) || container.securityContext.readOnlyRootFilesystem != true) diff --git a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl index 862dfa51cd..57516f3d88 100644 --- a/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl +++ b/src/pod-security-policy/read-only-root-filesystem/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.1.0 + metadata.gatekeeper.sh/version: 1.1.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a diff --git a/src/pod-security-policy/read-only-root-filesystem/src.cel b/src/pod-security-policy/read-only-root-filesystem/src.cel index 0c4db172b4..bc94215e06 100644 --- a/src/pod-security-policy/read-only-root-filesystem/src.cel +++ b/src/pod-security-policy/read-only-root-filesystem/src.cel @@ -13,6 +13,10 @@ variables: expression: | !has(variables.params.exemptImages) ? [] : variables.params.exemptImages.filter(image, !image.endsWith("*")) +- name: exemptImageWildcard + expression: | + !has(variables.params.exemptImages) ? false : + variables.params.exemptImages.exists_one(image, string(image) == "*") - name: exemptImages expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, @@ -21,7 +25,7 @@ variables: - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, - !(container.image in variables.exemptImages) && + (!(container.image in variables.exemptImages) && !variables.exemptImageWildcard) && (!has(container.securityContext) || !has(container.securityContext.readOnlyRootFilesystem) || container.securityContext.readOnlyRootFilesystem != true) diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md index 038698b2ae..e36411d686 100644 --- a/website/docs/validation/read-only-root-filesystem.md +++ b/website/docs/validation/read-only-root-filesystem.md @@ -16,7 +16,7 @@ metadata: name: k8spspreadonlyrootfilesystem annotations: metadata.gatekeeper.sh/title: "Read Only Root Filesystem" - metadata.gatekeeper.sh/version: 1.1.0 + metadata.gatekeeper.sh/version: 1.1.1 description: >- Requires the use of a read-only root file system by pod containers. Corresponds to the `readOnlyRootFilesystem` field in a @@ -67,6 +67,10 @@ spec: expression: | !has(variables.params.exemptImages) ? [] : variables.params.exemptImages.filter(image, !image.endsWith("*")) + - name: exemptImageWildcard + expression: | + !has(variables.params.exemptImages) ? false : + variables.params.exemptImages.exists_one(image, string(image) == "*") - name: exemptImages expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, @@ -75,7 +79,7 @@ spec: - name: badContainers expression: | (variables.containers + variables.initContainers + variables.ephemeralContainers).filter(container, - !(container.image in variables.exemptImages) && + (!(container.image in variables.exemptImages) && !variables.exemptImageWildcard) && (!has(container.securityContext) || !has(container.securityContext.readOnlyRootFilesystem) || container.securityContext.readOnlyRootFilesystem != true) @@ -265,4 +269,114 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- +
+wildcard-support + +
+constraint + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPReadOnlyRootFilesystem +metadata: + name: psp-readonlyrootfilesystem +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + exemptImages: + - "*" + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/wildcard-support/constraint.yaml +``` + +
+ +
+example-disallowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/example_disallowed.yaml +``` + +
+
+example-allowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-allowed + labels: + app: nginx-readonlyrootfilesystem +spec: + containers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: true + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/example_allowed.yaml +``` + +
+
+disallowed-ephemeral + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-readonlyrootfilesystem-disallowed + labels: + app: nginx-readonlyrootfilesystem +spec: + ephemeralContainers: + - name: nginx + image: nginx + securityContext: + readOnlyRootFilesystem: false + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml +``` + +
+ +
\ No newline at end of file