1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set - Admission SecurityContextConstraint

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.

Rationale:

SecurityContextDeny can be used to provide a layer of security for clusters which do not have PodSecurityPolicies enabled.

Impact:

The SecurityContextDeny admission controller cannot be enabled as it conflicts with the SecurityContextConstraint admission controller.

Solution

None required. The Security Context Constraint admission controller cannot be disabled in OpenShift 4.

Default Value:

By default, OpenShift uses Security Context Constraints (SCCs) to restrict access to run privileged containers and runs pods on worker nodes as unprivileged (with the restricted SCC).

See Also

https://workbench.cisecurity.org/files/4260