Skip to main content

Kubernetes Security: Immutable Deployment - Deploy Container with ReadOnly-Filesystem and Writable-Volume

296 words·
Kubernetes Kubectl
Table of Contents
Kubernetes-Components - This article is part of a series.
Part 1: Rancher Kubernetes Management Platform: Cert Manager Helm Deployment, Rancher Helm Deployment with Rancher CA certificate, Export Root CA Certificate, Ingress Resource, Access Rancher with TLS Encryption
Part 2: Velero Open-Source Kubernetes Backups: Velero Helm Deployment, Backup and Restore a Kubernetes Namespace from an AWS S3 Bucket
Part 3: Kubernetes Deployment Components: Pods - Multi Container Pod Example, Container Networking Within a Pod; Replication Controller; Services - ClusterIP, NodePort & LoadBalancer Services, Services for Pods, Replication Controllers, External Resources & Deployments
Part 4: Kubernetes Resource Management: Define Resource Requests and Limits; Deploy Kubernetes Metrics Server, Verify Resource Usage with kubectl top
Part 5: This Article
Part 6: Kubernetes Security: Pod Security Admission (PSA) - Overview, Enforce Pod Security Standard at a Namespace; Example Nginx Pod SecurityContext for Restricted PSS
Part 7: Kubernetes Volumes: Nginx Pod and Deployment Examples with NFS Volume, Pod and Deployment Examples with EmptyDir Volume, Deployment Example with PersistentVolume, External Storage Provider with NFS
Part 8: Kubernetes Secrets: Opaque Secret Configuration, Pod Examples with Environment Variable Secrets and Volume Secrets; SSH Authentication Secret with Pod Example
Part 9: Kubernetes Horizontal Pod Autoscaling: Install Kubernetes Metrics Server, Example Deployment with Horizontal Pod Autoscaler (HPA)
Part 10: Kubernetes DNS: CoreDNS custom Hosts entry (K3s & K8s Version), Deployment with custom Hosts entry; Backup and Restore the CoreDNS ConfigMap; DNS Troubleshooting
Part 11: Kubernetes Liveness & Readiness Probes: TCP Readiness Probes (Single Pod and Multi Pod Dependency), TCP Liveness Probe
Part 12: Kubernetes Network Policies: Ingress and Egress Policy Examples
Part 13: Kubernetes Role Based Access Control (RBAC): RBAC Overview, Create Service Account, Example Role and RoleBinding
Part 14: Kubernetes Kubeconfig: Create example Kubeconfig with new (RBAC) Service Account and ClusterRole / ClusterRole Binding
Part 15: Kubernetes Container Storage Interface (CSI): NFS CSI Driver Example, Dynamically create PersistentVolumes using a CSI StorageClass and PVC
Part 16: Kubernetes Container Storage Interface (CSI): Ceph CSI Driver Example, Dynamically provision RBD Images in a Ceph Storage Pool
Part 17: Kubernetes Container Storage Interface (CSI): Longhorn Distributed Block Storage System - Deploy Longhorn via Helm Chart, Define Custom Storage Mountpoints; StorageClass & PVC Example
Part 18: Kubernetes Container Storage Interface (CSI): Samba - Deploy SMB CSI via Helm, Create example PVC and Pod
Part 19: Kubernetes Etcd Snapshot: Etcd Snapshot and Restore with Etcdctl, Verify Etcd Member Health; Etcdctl Commands
Part 20: Kubernetes Helm Charts: Create a Custom Helm Chart
Part 21: Kubernetes Kustomize: Kustomize Configuration Management Example
Part 22: Kubernetes ReplicaSets & DaemonSets: Overview, Example ReplicaSets and DaemonSets with and without NodeSelector & Node Labeling
Part 23: Kubernetes Jobs: Jobs Overview, Basic Non-parallel & Parallel Job Examples; CronJob & RBAC Example that Restarts a Deployment
Part 24: Kubernetes Commands: Cluster Nodes, Namespaces, LimitRange Resource Limits, Pods, Deployments, Replication Controllers, Services, HPA, Secrets, Cronjobs, Helm, Logs, K9s TUI

Immutable Deployment
#

Create Namespace
# 

# Create a new namespace for the deployment
kubectl create ns example-namespace

Deployment Manifest
#

In this deployment, the container will have an immutable root filesystem, with the exception of the /tmp directory, which remains writable.

# Create manifest for the deployment
vi immutable-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: immutable-deployment
  namespace: example-namespace
  labels:
    app: some-pod
spec:
  replicas: 1
  selector:
    matchLabels:
      app: some-pod
  template:
    metadata:
      labels:
        app: some-pod
    spec:
      containers:
        - name: busybox
          image: busybox:latest
          command: ['sh', '-c', 'tail -f /dev/null']
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
          volumeMounts:
            - name: tmp-volume
              mountPath: /tmp
      volumes:
        - name: tmp-volume
          emptyDir: {}
      restartPolicy: Always

# Deploy the manifest
kubectl apply -f immutable-deployment.yaml

Deployment details:

  • command: ['sh', '-c', 'tail -f /dev/null'] Keeps the container alive by running an infinite tail on “/dev/null”

  • readOnlyRootFilesystem: true Set the container root filesystem to “read-only”

  • The “emptyDir” volume type only exists as long as the Pod exists, but it allows data written to /tmp to be modified by processes within the container


Verify the Deployment
# 

# List all resources in the "example-namespace" namespace with the label "app=some-pod"
kubectl get all -l app=some-pod -n example-namespace

# Shell output:
NAME                                       READY   STATUS    RESTARTS   AGE
pod/immutable-deployment-96b948b78-6x6v4   1/1     Running   0          37s

NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/immutable-deployment   1/1     1            1           37s

NAME                                             DESIRED   CURRENT   READY   AGE
replicaset.apps/immutable-deployment-96b948b78   1         1         1       37s

Verify the Immutable Filesystem
# 

# Access the busybox container terminal
kubectl exec -it immutable-deployment-96b948b78-6x6v4 -n example-namespace -- sh

Verify the “/tmp” directory is writeable:

# Create file
touch /tmp/file1

# List files
ls /tmp

# Shell output:
file1

Verify the root filesystem is read-only:

# Create file
touch /var/file1

# Shell output:
touch: /var/file1: Read-only file system

Exit the container terminal:

exit

Delete the Deployment
# 

kubectl delete -f immutable-deployment.yaml
Kubernetes-Components - This article is part of a series.
Part 1: Rancher Kubernetes Management Platform: Cert Manager Helm Deployment, Rancher Helm Deployment with Rancher CA certificate, Export Root CA Certificate, Ingress Resource, Access Rancher with TLS Encryption
Part 2: Velero Open-Source Kubernetes Backups: Velero Helm Deployment, Backup and Restore a Kubernetes Namespace from an AWS S3 Bucket
Part 3: Kubernetes Deployment Components: Pods - Multi Container Pod Example, Container Networking Within a Pod; Replication Controller; Services - ClusterIP, NodePort & LoadBalancer Services, Services for Pods, Replication Controllers, External Resources & Deployments
Part 4: Kubernetes Resource Management: Define Resource Requests and Limits; Deploy Kubernetes Metrics Server, Verify Resource Usage with kubectl top
Part 5: This Article
Part 6: Kubernetes Security: Pod Security Admission (PSA) - Overview, Enforce Pod Security Standard at a Namespace; Example Nginx Pod SecurityContext for Restricted PSS
Part 7: Kubernetes Volumes: Nginx Pod and Deployment Examples with NFS Volume, Pod and Deployment Examples with EmptyDir Volume, Deployment Example with PersistentVolume, External Storage Provider with NFS
Part 8: Kubernetes Secrets: Opaque Secret Configuration, Pod Examples with Environment Variable Secrets and Volume Secrets; SSH Authentication Secret with Pod Example
Part 9: Kubernetes Horizontal Pod Autoscaling: Install Kubernetes Metrics Server, Example Deployment with Horizontal Pod Autoscaler (HPA)
Part 10: Kubernetes DNS: CoreDNS custom Hosts entry (K3s & K8s Version), Deployment with custom Hosts entry; Backup and Restore the CoreDNS ConfigMap; DNS Troubleshooting
Part 11: Kubernetes Liveness & Readiness Probes: TCP Readiness Probes (Single Pod and Multi Pod Dependency), TCP Liveness Probe
Part 12: Kubernetes Network Policies: Ingress and Egress Policy Examples
Part 13: Kubernetes Role Based Access Control (RBAC): RBAC Overview, Create Service Account, Example Role and RoleBinding
Part 14: Kubernetes Kubeconfig: Create example Kubeconfig with new (RBAC) Service Account and ClusterRole / ClusterRole Binding
Part 15: Kubernetes Container Storage Interface (CSI): NFS CSI Driver Example, Dynamically create PersistentVolumes using a CSI StorageClass and PVC
Part 16: Kubernetes Container Storage Interface (CSI): Ceph CSI Driver Example, Dynamically provision RBD Images in a Ceph Storage Pool
Part 17: Kubernetes Container Storage Interface (CSI): Longhorn Distributed Block Storage System - Deploy Longhorn via Helm Chart, Define Custom Storage Mountpoints; StorageClass & PVC Example
Part 18: Kubernetes Container Storage Interface (CSI): Samba - Deploy SMB CSI via Helm, Create example PVC and Pod
Part 19: Kubernetes Etcd Snapshot: Etcd Snapshot and Restore with Etcdctl, Verify Etcd Member Health; Etcdctl Commands
Part 20: Kubernetes Helm Charts: Create a Custom Helm Chart
Part 21: Kubernetes Kustomize: Kustomize Configuration Management Example
Part 22: Kubernetes ReplicaSets & DaemonSets: Overview, Example ReplicaSets and DaemonSets with and without NodeSelector & Node Labeling
Part 23: Kubernetes Jobs: Jobs Overview, Basic Non-parallel & Parallel Job Examples; CronJob & RBAC Example that Restarts a Deployment
Part 24: Kubernetes Commands: Cluster Nodes, Namespaces, LimitRange Resource Limits, Pods, Deployments, Replication Controllers, Services, HPA, Secrets, Cronjobs, Helm, Logs, K9s TUI