You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
This violation can not be fixed, please find the details below
The helm template will invoke a job which in turn calls mas cli functions to install MAS.
The mas cli function logic to create temporary files using syntax like below.
cat << EOF > $HOME/.ibm-mas/cli.env
Setting file system as read only, will break this logic.
Below is the error message received, when file system are set as readonly.
(B[m[1K/mascli/functions/install: line 35: cannot create temp file for here-document: Read-only file system
/mascli/functions/install: line 36: cannot create temp file for here-document: Read-only file system
[31mError: IBM Maximo Operator Catalog is already installed on this cluster.(B[m
[31mIf you wish to install a new MAS instance using the v8-240227-amd64 catalog please first run "mas update" to switch to this catalog, this will ensure the appropriate actions are performed as part of the catalog update.(B[m
/mascli/functions/internal/save_config: line 14: cannot create temp file for here-document: Read-only file system
Issue: https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0014/
Root file system is not read-only
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Links - https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21
The text was updated successfully, but these errors were encountered: