From 77f66511e70c4b2c1f83988786e3de04ec7349db Mon Sep 17 00:00:00 2001
From: Nick Smith <nickrmc83@gmail.com>
Date: Tue, 28 Jan 2020 15:45:31 +0000
Subject: [PATCH] Set all host-mounted volumes to be read-only. (#569)

By setting all host-mounted volumes to be read-only we reduce the likelihood
any host filesystem is modified by running kube-bench.
---
 job-eks.yaml    | 3 +++
 job-iks.yaml    | 3 +++
 job-master.yaml | 3 +++
 job-node.yaml   | 4 ++++
 job.yaml        | 5 +++++
 5 files changed, 18 insertions(+)

diff --git a/job-eks.yaml b/job-eks.yaml
index 6f82c31..b0cac98 100644
--- a/job-eks.yaml
+++ b/job-eks.yaml
@@ -15,10 +15,13 @@ spec:
           volumeMounts:
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-kubelet
diff --git a/job-iks.yaml b/job-iks.yaml
index 8a5fd38..3d3d072 100644
--- a/job-iks.yaml
+++ b/job-iks.yaml
@@ -14,10 +14,13 @@ spec:
           volumeMounts:
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-kubelet
diff --git a/job-master.yaml b/job-master.yaml
index 5896bd3..27cecb2 100644
--- a/job-master.yaml
+++ b/job-master.yaml
@@ -20,12 +20,15 @@ spec:
           volumeMounts:
             - name: var-lib-etcd
               mountPath: /var/lib/etcd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
               # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
               mountPath: /usr/bin
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-etcd
diff --git a/job-node.yaml b/job-node.yaml
index 0bdc2a1..b9133e9 100644
--- a/job-node.yaml
+++ b/job-node.yaml
@@ -14,14 +14,18 @@ spec:
           volumeMounts:
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
               # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
               mountPath: /usr/bin
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-kubelet
diff --git a/job.yaml b/job.yaml
index 411c164..5f09651 100644
--- a/job.yaml
+++ b/job.yaml
@@ -17,16 +17,21 @@ spec:
           volumeMounts:
             - name: var-lib-etcd
               mountPath: /var/lib/etcd
+              readOnly: true
             - name: var-lib-kubelet
               mountPath: /var/lib/kubelet
+              readOnly: true
             - name: etc-systemd
               mountPath: /etc/systemd
+              readOnly: true
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
+              readOnly: true
               # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
               mountPath: /usr/bin
+              readOnly: true
       restartPolicy: Never
       volumes:
         - name: var-lib-etcd