Hi, I'm Ted Hahn and I'm working on the Kubernetes team at Nordstrom. We're trying to implement Pod Security Policies (PSP) org-wide, and your container image is used by some of our teams.
I'm trying to remedy the following attributes:
[ ] Writes to rootfs
[ ] No Volumes listed
Writes to / are not permitted to prevent attackers from overwriting binaries or modules that might be dynamically loaded or otherwise executed. This is the equivalent of running the docker image with the --read-only flag.
Explicitly listing writable Volumes serves as documentation for which mount points are used by the container. Docker will default to mounting a temporary volume at these locations if no other mount is given (enabling the container to still be run even with the --read-only flag)
Does this PR include tests? Yes
Hi, I'm Ted Hahn and I'm working on the Kubernetes team at Nordstrom. We're trying to implement Pod Security Policies (PSP) org-wide, and your container image is used by some of our teams.
I'm trying to remedy the following attributes:
Writes to / are not permitted to prevent attackers from overwriting binaries or modules that might be dynamically loaded or otherwise executed. This is the equivalent of running the docker image with the
--read-only
flag.Explicitly listing writable Volumes serves as documentation for which mount points are used by the container. Docker will default to mounting a temporary volume at these locations if no other mount is given (enabling the container to still be run even with the
--read-only
flag)