Enable readOnlyRootFilesystem policy in Kyverno

Signed-off-by: Richard Wall <richard.wall@venafi.com>

make/config/kyverno/kustomization.yaml

@@ -8,6 +8,7 @@
 resources:
   - https://github.com/kyverno/policies/pod-security/enforce
   - https://raw.githubusercontent.com/kyverno/policies/main/other/res/restrict-automount-sa-token/restrict-automount-sa-token.yaml
+  - https://github.com/kyverno/policies/raw/main//best-practices/require-ro-rootfs/require-ro-rootfs.yaml
 patches:
   - patch: |-
       - op: replace

make/config/kyverno/policy.yaml

@@ -485,6 +485,40 @@ spec:
 ---
 apiVersion: kyverno.io/v1
 kind: Policy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Best Practices, EKS Best Practices, PSP Migration
+    policies.kyverno.io/description: 'A read-only root file system helps to enforce
+      an immutable infrastructure strategy; the container only needs to write on the
+      mounted volume that persists the state. An immutable root filesystem can also
+      prevent malicious binaries from writing to the host system. This policy validates
+      that containers define a securityContext with `readOnlyRootFilesystem: true`.'
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/title: Require Read-Only Root Filesystem
+  name: require-ro-rootfs
+  namespace: cert-manager
+spec:
+  background: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: validate-readOnlyRootFilesystem
+    validate:
+      message: Root filesystem must be read-only.
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              readOnlyRootFilesystem: true
+  validationFailureAction: Enforce
+---
+apiVersion: kyverno.io/v1
+kind: Policy
 metadata:
   annotations:
     kyverno.io/kubernetes-version: 1.22-1.23