Trivy misconfig : Use Readonly Filesystem

[padmankosalaram]

Issue: https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0014/

Root file system is not read-only

An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

Links - https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/

---

Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"

FAILED for resource: Job.mas-inst1-pipelines.mas-deploy-job
File: /chart/deploy-mas/mas-deploy/templates/01-deploy-mas.yaml:95-327

Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21

[padmankosalaram]

This violation can not be fixed, please find the details below

The helm template will invoke a job which in turn calls mas cli functions to install MAS.
The mas cli function logic to create temporary files using syntax like below.
cat << EOF > $HOME/.ibm-mas/cli.env

Setting file system as read only, will break this logic.

Below is the error message received, when file system are set as readonly.

(B[m[1K/mascli/functions/install: line 35: cannot create temp file for here-document: Read-only file system
/mascli/functions/install: line 36: cannot create temp file for here-document: Read-only file system

[31mError: IBM Maximo Operator Catalog  is already installed on this cluster.(B[m
[31mIf you wish to install a new MAS instance using the v8-240227-amd64 catalog please first run "mas update" to switch to this catalog, this will ensure the appropriate actions are performed as part of the catalog update.(B[m

/mascli/functions/internal/save_config: line 14: cannot create temp file for here-document: Read-only file system