Ensure that the admission control plugin PodSecurityPolicy is set (API Server)

Reject creating pods that do not match Pod Security Policies. A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.08
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod where labels contain [value='kube-apiserver'] and namespace = 'kube-system' should have spec.containers with [parsedArgs contain [key like 'enable-admission-plugins' and value like '%PodSecurityPolicy%']]

REMEDIATION

Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.

References

  1. https://kubernetes.io/docs/admin/kube-apiserver/
  2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy
  3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices