Read-only Root Filesystem Overview

Edit online

Read-only root filesystem (readOnlyRootFilesystem: true) is a Kubernetes security feature that prevents any modifications to the container's root filesystem at runtime. When enabled, the container's base filesystem becomes immutable and applications can only write to explicitly mounted volumes.

Enabling read-only root filesystem is a security best practice that:

Enforces infrastructure immutability
Prevents tampering with the image contents
Ensures consistency across environments

To enable read-only filesystem, any paths that require write access must be replaced with volume mounts. For paths that require data persistency, the use of Persistent Volume Claims (PVC) is recommended. For other writable paths, ephemeral volumes, for example, emptyDir are preferred to minimize the operational overhead. These volumes must be prepared before deployment using an init container.

To maximize security benefits, it is recommended to deploy the readonly containers with the restrictive-v2 Security Context Constraint (SCC).

Note: This is an optional and opt-in feature. It will not change the existing deployment, unless enabled.