🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Filesystem Writable

By default, containers are allowed to make modification to files. This unnecessary privilege increases the cluster attack surface as commonly containers do not need a writable filesystem.

Remediation

The following example makes the root file system read only.

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: app
        securityContext:
          readOnlyRootFilesystem: true

Metadata

  • Severity: informational
  • Slug: filesystem-writable

CWEs

  • 269: Improper Privilege Management

OWASP

  • A04:2021: Insecure Design
  • A05:2021: Security Misconfiguration

Available Labs

Open Kubernetes labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.