Question 19: Immutable Root FileSystem

Problem Statement

Solve this question on: ssh cks7262

The Deployment immutable-deployment in Namespace team-purple should run immutable, it's created from file /opt/course/19/immutable-deployment.yaml on cks7262. Even after a successful break-in, it shouldn't be possible for an attacker to modify the filesystem of the running container.

Tasks:

  1. Modify the Deployment in a way that no processes inside the container can modify the local filesystem
  2. Only /tmp directory should be writeable
  3. Don't modify the Docker image
  4. Save the updated YAML under /opt/course/19/immutable-deployment-new.yaml on cks7262
  5. Update the running Deployment

Solution

Step 1: Examine Current Deployment

First, let's check the current Deployment configuration:

➜ ssh cks7262

➜ candidate@cks7262:~# k -n team-purple edit deploy -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: team-purple
  name: immutable-deployment
  labels:
    app: immutable-deployment
  ...
spec:
  replicas: 1
  selector:
    matchLabels:
      app: immutable-deployment
  template:
    metadata:
      labels:
        app: immutable-deployment
    spec:
      containers:
      - image: busybox:1.32.0
        command: ['sh', '-c', 'tail -f /dev/null']
        imagePullPolicy: IfNotPresent
        name: busybox
      restartPolicy: Always

The container currently has write access to the Root File System, as there are no restrictions defined in the SecurityContext.

Step 2: Create Updated Deployment YAML

Create a copy of the original YAML file and modify it:

➜ candidate@cks7262:~# cp /opt/course/19/immutable-deployment.yaml /opt/course/19/immutable-deployment-new.yaml

➜ candidate@cks7262:~# vim /opt/course/19/immutable-deployment-new.yaml

Update the Deployment configuration to make the root filesystem read-only and allow only /tmp to be writable:

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: team-purple
  name: immutable-deployment
  labels:
    app: immutable-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: immutable-deployment
  template:
    metadata:
      labels:
        app: immutable-deployment
    spec:
      containers:
      - image: busybox:1.32.0
        command: ['sh', '-c', 'tail -f /dev/null']
        imagePullPolicy: IfNotPresent
        name: busybox
        securityContext:                  # add
          readOnlyRootFilesystem: true    # add
        volumeMounts:                     # add
        - mountPath: /tmp                 # add
          name: temp-vol                  # add
      volumes:                            # add
      - name: temp-vol                    # add
        emptyDir: {}                      # add
      restartPolicy: Always
The changes include:
  • Adding a SecurityContext with readOnlyRootFilesystem: true
  • Adding a volumeMount for /tmp directory
  • Adding an emptyDir volume for temporary storage
Step 3: Apply the Changes

Update the running Deployment with the new configuration:

➜ candidate@cks7262:~# k delete -f /opt/course/19/immutable-deployment-new.yaml
deployment.apps "immutable-deployment" deleted

➜ candidate@cks7262:~# k create -f /opt/course/19/immutable-deployment-new.yaml
deployment.apps/immutable-deployment created
Step 4: Verify the Changes

Test the read-only filesystem by attempting to create files in different locations:

➜ candidate@cks7262:~# k -n team-purple exec immutable-deployment-5f4865fbf-7ckkj -- touch /abc.txt
touch: /abc.txt: Read-only file system
command terminated with exit code 1

➜ candidate@cks7262:~# k -n team-purple exec immutable-deployment-5f4865fbf-7ckkj -- touch /var/abc.txt
touch: /var/abc.txt: Read-only file system
command terminated with exit code 1

➜ candidate@cks7262:~# k -n team-purple exec immutable-deployment-5f4865fbf-7ckkj -- touch /etc/abc.txt
touch: /etc/abc.txt: Read-only file system
command terminated with exit code 1

➜ candidate@cks7262:~# k -n team-purple exec immutable-deployment-5f4865fbf-7ckkj -- touch /tmp/abc.txt

➜ candidate@cks7262:~# k -n team-purple exec immutable-deployment-5f4865fbf-7ckkj -- ls /tmp
abc.txt

The tests confirm that:

  • The root filesystem is read-only
  • Only the /tmp directory is writable
  • The changes have been successfully applied

Summary of changes:
  • Made the root filesystem read-only using SecurityContext
  • Added a writable /tmp directory using emptyDir volume
  • Updated the Deployment with the new configuration
  • Verified the changes through testing
Security Note: Making the root filesystem read-only is an important security measure that prevents attackers from modifying system files even if they gain access to the container. This is part of the principle of least privilege and helps maintain container immutability.
Back to Questions List