0
0
KubernetesHow-ToBeginner · 4 min read

How to Use Read Only Root Filesystem in Kubernetes Pods

To use a readOnlyRootFilesystem in Kubernetes, set securityContext.readOnlyRootFilesystem: true in your pod or container spec. This makes the root filesystem of the container read-only, enhancing security by preventing writes to the root filesystem.
📐

Syntax

The readOnlyRootFilesystem field is part of the securityContext in a container spec. Setting it to true makes the container's root filesystem read-only.

Key parts:

  • securityContext: Defines security settings for the container.
  • readOnlyRootFilesystem: true: Enforces read-only root filesystem.
yaml
containers:
- name: example-container
  image: nginx
  securityContext:
    readOnlyRootFilesystem: true
💻

Example

This example shows a pod spec with a single container running nginx. The container's root filesystem is set to read-only, which means it cannot write to its root filesystem but can write to mounted volumes if any are writable.

yaml
apiVersion: v1
kind: Pod
metadata:
  name: readonly-rootfs-pod
spec:
  containers:
  - name: nginx
    image: nginx:1.23.3
    securityContext:
      readOnlyRootFilesystem: true
    volumeMounts:
    - name: writable-data
      mountPath: /var/cache/nginx
  volumes:
  - name: writable-data
    emptyDir: {}
Output
Pod 'readonly-rootfs-pod' runs with nginx container having a read-only root filesystem; writes to /var/cache/nginx succeed because it is a writable volume.
⚠️

Common Pitfalls

Common mistakes when using readOnlyRootFilesystem include:

  • Not providing writable volumes for paths where the application needs to write data, causing runtime errors.
  • Setting readOnlyRootFilesystem at the pod level instead of container level (it must be under each container's securityContext).
  • Forgetting to test the container behavior after enabling this setting, which can break apps expecting write access to root.
yaml
containers:
- name: bad-example
  image: busybox
  securityContext:
    readOnlyRootFilesystem: true
  command: ["sh", "-c", "echo 'test' > /tmp/testfile"]

# This will fail because /tmp is on the root filesystem which is read-only.

# Correct approach:
containers:
- name: good-example
  image: busybox
  securityContext:
    readOnlyRootFilesystem: true
  volumeMounts:
  - name: tmp-volume
    mountPath: /tmp
  command: ["sh", "-c", "echo 'test' > /tmp/testfile"]
volumes:
- name: tmp-volume
  emptyDir: {}
📊

Quick Reference

FieldDescriptionExample Value
securityContext.readOnlyRootFilesystemMakes container root filesystem read-onlytrue
volumeMountsMount writable volumes for paths needing write access- mountPath: /tmp
volumesDefine volumes to mount writable storage- emptyDir: {}

Key Takeaways

Set securityContext.readOnlyRootFilesystem: true in the container spec to enable read-only root filesystem.
Provide writable volumes for any paths where the container needs to write data.
Test your container thoroughly after enabling this to avoid runtime errors.
This setting improves security by preventing unwanted writes to the container's root filesystem.

Related by keyword

How to Create a Read Only User in KubernetesRBACHow to List Pods in Kubernetes: Simple Commands ExplainedPodsHow Pods Communicate in Kubernetes: Networking BasicsNetworkingHow to Allow Traffic Between Pods in KubernetesNetworkingHow to Configure Readiness Probe in Kubernetes for Healthy PodsProbes

Up next

How to Use Prometheus with Kubernetes for MonitoringPrometheus vs Datadog in Kubernetes: Key Differences and UsageHow to Check Container Logs in Kubernetes QuicklyHow to Check Pod Events for Debugging in Kubernetes

More in Security

How to Encrypt Secrets in Kubernetes: Simple GuideHow to Limit Capabilities in Kubernetes Pods for SecurityHow to Run Kubernetes Pod as Non-Root UserHow to Scan Images for Vulnerabilities in Kubernetes