Detections
Analytics
Minimize access to create pods
HIGH
Description
Description:
The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access)
As such, access to create new pods should be restricted to the smallest possible group of users.
Rationale:
The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.
Care should be taken not to remove access to pods to system components which require this for their operation
Remediation
Where possible, remove 'create' access to 'pod' objects in the cluster.
Policy Details
Rule Reference ID: AC_K8S_0103
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_role
Resource Category: Management
Resource Type: Role
Frameworks
GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1