By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container.
- Not Configurable
- CronJob
- DaemonSet
- Deployment
- Job
- Pod
- ReplicaSet
- StatefulSet
- If
securityContext.readOnlyRootFilesystem
is set totrue
. If not, the resource is denied from being deployed in the cluster.