Event Information

Meaning

  • The “Write below root” event in a Kubernetes cluster indicates that a process running within a container attempted to write or modify files or directories that are located below the root directory (”/”) of the file system.
  • This event can be a potential security concern as it may indicate unauthorized access or tampering with critical system files or directories.
  • To investigate and mitigate this event, you can:
    1. Identify the specific container and pod where the event occurred using the Kubernetes cluster’s monitoring or logging tools.
    2. Inspect the process or application running within the container to determine the intent behind the write operation and whether it was legitimate or malicious.
    3. Review the container’s security policies and configurations to ensure that only authorized processes have write access to system files and directories below the root level.

Remediation

  1. Restrict Write Access to Root Directory:

    • Modify the Pod’s security context to make the root filesystem read-only, thereby preventing unauthorized writes to any location below the root directory.
     apiVersion: v1
 kind: Pod
 metadata:
   name: secure-pod
 spec:
   containers:
   - name: secure-container
     image: <your-image>
     securityContext:
       readOnlyRootFilesystem: true

  2. Use Read-Only Volume Mounts:

    • For applications that need to mount specific directories, use read-only mounts to prevent write operations.
     apiVersion: v1
 kind: Pod
 metadata:
   name: secure-pod
 spec:
   containers:
   - name: secure-container
     image: <your-image>
     volumeMounts:
     - name: root-volume
       mountPath: /
       readOnly: true
   volumes:
   - name: root-volume
     emptyDir: {}