Terraform Missing Read Only Root Filesystem

Description

Detects Kubernetes container configurations that allow writable root filesystems, which is a security risk. Containers should use read-only root filesystems to prevent malicious modifications to system files and reduce the attack surface in case of a container compromise.

Weakness:

267 - Excessive Privileges - Kubernetes

Category: Functionality Abuse

Detection Strategy

• Examines Kubernetes resource definitions like Pod, Deployment, StatefulSet etc. that can specify container configurations

• For each container specification, checks if the 'readOnlyRootFilesystem' security context property is present and set to true

• Reports a vulnerability if containers are configured without a read-only root filesystem or if the security context is missing

Vulnerable code example

resource "kubernetes_pod" "vulnerable_pod" {
  metadata {
    name = "vulnerable-pod"
  }
  spec {
    container {
      name  = "unsafe-container"
      image = "nginx"...

✅ Secure code example

resource "kubernetes_pod" "secure_pod" {
  metadata {
    name = "secure-pod"
  }
  spec {
    # Prevent mounting default service account token
    automount_service_account_token = false
    ...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.