diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go
index 659b29bd7ae..9e06ddf82a6 100644
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@@ -767,10 +767,9 @@ func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, podIP string, c api.Container,
 	}
 
 	ra := appcschema.RuntimeApp{
-		Name:           convertToACName(c.Name),
-		Image:          appcschema.RuntimeImage{ID: *hash},
-		App:            imgManifest.App,
-		ReadOnlyRootFS: *c.SecurityContext.ReadOnlyRootFilesystem,
+		Name:  convertToACName(c.Name),
+		Image: appcschema.RuntimeImage{ID: *hash},
+		App:   imgManifest.App,
 		Annotations: []appctypes.Annotation{
 			{
 				Name:  *appctypes.MustACIdentifier(k8sRktContainerHashAnno),
@@ -783,6 +782,10 @@ func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, podIP string, c api.Container,
 		},
 	}
 
+	if c.SecurityContext != nil && c.SecurityContext.ReadOnlyRootFilesystem != nil {
+		ra.ReadOnlyRootFS = *c.SecurityContext.ReadOnlyRootFilesystem
+	}
+
 	if mnt != nil {
 		ra.Annotations = append(ra.Annotations, appctypes.Annotation{
 			Name:  *appctypes.MustACIdentifier(k8sRktTerminationMessagePathAnno),