Toot

Written by T Strömberg 🚲🌳🛵 on 2024-12-19 at 18:12

If I could go back in time, I'd make containers get two mounts: one executable but not writeable (/bin) and one writeable but not executable (/data).

Making Kubernetes default to readOnlyRootFilesystem and requiring folks to add a second volume if they want to write is probably the best we can do, but as an API-breaking change, it won't happen.

I'm curious about what other ideas folks have pursued here to prevent new/modified binaries from executing in Kubernetes. It'd be fun to implement.

=> More informations about this toot | View the thread | More toots from thomrstrom@triangletoot.party

Mentions

Tags

Proxy Information
Original URL
gemini://mastogem.picasoft.net/toot/113680838199461465
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
221.682264 milliseconds
Gemini-to-HTML Time
0.22648 milliseconds

This content has been proxied by September (3851b).