If I could go back in time, I'd make containers get two mounts: one executable but not writeable (/bin) and one writeable but not executable (/data).
Making Kubernetes default to readOnlyRootFilesystem
and requiring folks to add a second volume if they want to write is probably the best we can do, but as an API-breaking change, it won't happen.
I'm curious about what other ideas folks have pursued here to prevent new/modified binaries from executing in Kubernetes. It'd be fun to implement.
=> More informations about this toot | View the thread | More toots from thomrstrom@triangletoot.party
text/gemini
This content has been proxied by September (3851b).