Detections
Analytics

Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used

HIGH

Description

Description:

The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.

Rationale:

SecurityContextDeny can be used to provide a layer of security for clusters which do not have PodSecurityPolicies enabled.

This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies.

Remediation

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--enable-admission-plugins' parameter to include 'SecurityContextDeny', unless 'PodSecurityPolicy' is already in place.

--enable-admission-plugins=...,SecurityContextDeny,...
.

Policy Details

Rule Reference ID: AC_K8S_0022
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks