In retrospect, I think Kubernetes (and related tooling) made an unwise decision to allow-by-default execution of binaries that were added or modified after pod initialization.
I’d really like to see that change some day.
=> More informations about this toot | More toots from thomrstrom@triangletoot.party
If I could go back in time, I'd make containers get two mounts: one executable but not writeable (/bin) and one writeable but not executable (/data).
Making Kubernetes default to readOnlyRootFilesystem and requiring folks to add a second volume if they want to write is probably the best we can do, but as an API-breaking change, it won't happen.
I'm curious about what other ideas folks have pursued here to prevent new/modified binaries from executing in Kubernetes. It'd be fun to implement.
=> More informations about this toot | More toots from thomrstrom@triangletoot.party This content has been proxied by September (3851b).Proxy Information
text/gemini