Create `ReadOnlyRootFilesystem` PSP policy

flavio commented 2 years ago

Create a new Kubewarden policy that can be used to replace the ReadOnlyRootFilesystem official PSP.

Acceptance criteria

Implement a validating policy
The policy doesn't take any configuration value
The policy looks at the securityContext of all the Containers defined by a Pod
The policy blocks the creation of Pods that do not set the root filesystem to be readonly
The policy inspects: initContainers and spec.containers. Ephemeral containers cannot have a securityContext, hence we can ignore them

flavio commented 2 years ago

flavio commented 2 years ago

The policy has been released on the Policy Hub

flavio commented 2 years ago

@chrisns: JFYI, we've added this missing PSP. We're also currently working on the seccomp one.

Thanks a lot for the wonderful work you're doing with https://github.com/appvia/psp-migration