Detections
Analytics
CNTR-K8-002001 - Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.
Information
PodSecurity admission controller is a component that validates and enforces security policies for pods running within a Kubernetes cluster. It is responsible for evaluating the security context and configuration of pods against defined policies.To enable PodSecurity admission controller on Static Pods (kube-apiserver, kube-controller-manager, or kube-schedule), the argument '--feature-gates=PodSecurity=true' must be set.
To enable PodSecurity admission controller on Kubelets, the featureGates PodSecurity=true argument must be set.
(Note: The PodSecurity feature gate is GA as of v1.25.)
Solution
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:grep -i feature-gates *
Ensure the argument '--feature-gates=PodSecurity=true' is present in each manifest file.
On each Control Plane and Worker Node, run the command:
ps -ef | grep kubelet
Remove the '--feature-gates' option if present.
Note the path to the config file (identified by --config).
Edit the Kubernetes Kubelet config file:
Add a 'featureGates' setting if one does not yet exist. Add the feature gate 'PodSecurity=true'.
Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R5_STIG.zip
Item Details
Audit Name: DISA STIG Kubernetes v2r5
Category: ACCESS CONTROL
References: 800-53|AC-16a., CAT|I, CCI|CCI-002263, Rule-ID|SV-254801r961359_rule, STIG-ID|CNTR-K8-002001, Vuln-ID|V-254801
Plugin: Unix
Control ID: e0cf90c30593bafb33236759138b93474c6049212d3f63352c707a71635b73ef