From 9dfb7c3ecf578aac02373d1ec24616b2c58211de Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@venafi.com>
Date: Fri, 27 Oct 2023 16:03:17 +0100
Subject: [PATCH] Enable readOnlyRootFilesystem policy in Kyverno

Signed-off-by: Richard Wall <richard.wall@venafi.com>
---
 make/config/kyverno/kustomization.yaml |  1 +
 make/config/kyverno/policy.yaml        | 34 ++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/make/config/kyverno/kustomization.yaml b/make/config/kyverno/kustomization.yaml
index 30bb92795..30996254f 100644
--- a/make/config/kyverno/kustomization.yaml
+++ b/make/config/kyverno/kustomization.yaml
@@ -8,6 +8,7 @@
 resources:
   - https://github.com/kyverno/policies/pod-security/enforce
   - https://raw.githubusercontent.com/kyverno/policies/main/other/res/restrict-automount-sa-token/restrict-automount-sa-token.yaml
+  - https://github.com/kyverno/policies/raw/main//best-practices/require-ro-rootfs/require-ro-rootfs.yaml
 patches:
   - patch: |-
       - op: replace
diff --git a/make/config/kyverno/policy.yaml b/make/config/kyverno/policy.yaml
index 272253f52..a5e4b550c 100644
--- a/make/config/kyverno/policy.yaml
+++ b/make/config/kyverno/policy.yaml
@@ -485,6 +485,40 @@ spec:
 ---
 apiVersion: kyverno.io/v1
 kind: Policy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Best Practices, EKS Best Practices, PSP Migration
+    policies.kyverno.io/description: 'A read-only root file system helps to enforce
+      an immutable infrastructure strategy; the container only needs to write on the
+      mounted volume that persists the state. An immutable root filesystem can also
+      prevent malicious binaries from writing to the host system. This policy validates
+      that containers define a securityContext with `readOnlyRootFilesystem: true`.'
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/title: Require Read-Only Root Filesystem
+  name: require-ro-rootfs
+  namespace: cert-manager
+spec:
+  background: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: validate-readOnlyRootFilesystem
+    validate:
+      message: Root filesystem must be read-only.
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              readOnlyRootFilesystem: true
+  validationFailureAction: Enforce
+---
+apiVersion: kyverno.io/v1
+kind: Policy
 metadata:
   annotations:
     kyverno.io/kubernetes-version: 1.22-1.23