Is there an existing feature request for this?

• I have searched the existing feature requests

Is your feature request related to a problem or use-case? Please describe.

In Kubernetes, the root filesystem is writeable by default. Containers that run as root (which is often the case when running builds) therefore have write permission to the entire filesystem within the container. A compromised build container could overwrite system components and execute arbitrary code.

Describe the solution that you would like.

Containers that run as root should have the readOnlyRootFilesystem flag set in their pod security context. See also: Configure a Security Context for a Pod or Container.

This may require all containers in the build to establish writeable emptyDir volumes explicitly - ex for /tmp.

Describe alternatives you have considered.

• Running containers as a non-root user is ideal, but not always feasible. For example, running buildah typically requires the container it is in to run as root.
• Running containers in a Linux user namespace does not solve the problem of root user containers having their filesystems

Anything else?

No response