Post

ReadOnlyRootFilesystem

ReadOnlyRootFilesystem — practical walkthrough with examples.

Posted Updated
Preview Image
By Jan Toth
1 min read

First, delete any existing pod and recreate it from the manifest. The --grace-period 0 --force flags ensure immediate deletion.

1
2
3

root@cks-master:~# k delete  po immutable --grace-period 0 --force

root@cks-master:~# k create  -f immutable.yaml

The pod spec below sets readOnlyRootFilesystem: true to prevent any writes to the container filesystem. An emptyDir volume is mounted at the log directory so Apache can still write its logs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

cat immutable.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: immutable
  name: immutable
spec:
  containers:
  - image: httpd
    name: immutable
    securityContext:
      readOnlyRootFilesystem: true
    volumeMounts:
    - name: pid
      mountPath: "/usr/local/apache2/logs/"
  volumes:
  - name: pid
    emptyDir: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
DevOps
readonlyrootfilesystem
This post is licensed under CC BY 4.0 by the author.