1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.

Rationale:

SecurityContextDeny can be used to provide a layer of security for clusters which do not have PodSecurityPolicies enabled.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place.

--enable-admission-plugins=...,SecurityContextDeny,...

Impact:

This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies

Default Value:

By default, SecurityContextDeny is not set.

References:

https://kubernetes.io/docs/admin/kube-apiserver/

https://kubernetes.io/docs/admin/admission-controllers/#securitycontextdeny

https://kubernetes.io/docs/user-guide/pod-security-policy/#working-with-rbac

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-6, 800-53|CM-6, CSCv6|5.1, CSCv7|5.2

Plugin: Unix

Control ID: 3397b0b3ed4195e69e027f6c2780aeffb4016ed8061bf21ff7aed328a2b42ff2