Ensure that the admission control plugin PodSecurityPolicy is set (API Server)
Reject creating pods that do not match Pod Security Policies. A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.
Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.08
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
KubernetesPod where labels contain [value='kube-apiserver'] and namespace = 'kube-system' should have spec.containers with [parsedArgs contain [key like 'enable-admission-plugins' and value like '%PodSecurityPolicy%']]
REMEDIATION
Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy :
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
References
- https://kubernetes.io/docs/admin/kube-apiserver/
- https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies
Pods
Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.
Compliance Frameworks
- CIS Kubernetes Benchmark v1.20
- CIS Kubernetes Benchmark v1.4.0
- CIS Kubernetes Benchmark v1.5.1
- CIS Kubernetes Benchmark v1.6.1
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
Updated over 1 year ago