Detections
Analytics

Ensure that the admission control plugin PodSecurityPolicy is set

MEDIUM

Description

Description:

Reject creating pods that do not match Pod Security Policies.

Rationale:

A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The 'PodSecurityPolicy' objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.

Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 5.2 for recommendations on PodSecurityPolicy settings.

The policy objects must be created and granted before pod creation would be allowed.

Remediation

Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--enable-admission-plugins' parameter to a value that includes 'PodSecurityPolicy':

--enable-admission-plugins=...,PodSecurityPolicy,...

Then restart the API Server.

Policy Details

Rule Reference ID: AC_K8S_0129
CSP: Kubernetes
Remediation Available: No
Domain: Compliance Validation
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks