Guides
  1. kubernetes policies
  2. Pod Security Policies

Minimize the admission of FSGroup applied to some volumes (PSP)

Risk Level: Low
Cloud Entity: Pod Security Policies
CloudGuard Rule ID: D9.K8S.IAM.40
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesPodSecurityPolicy should have spec.fsGroup.rule='MustRunAs' and spec.fsGroup.ranges contain [ min>0 ]

REMEDIATION

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.fsGroup.rule is set to MustRunAs with the range of UIDs not including 0.

References

  1. https://kubernetes.io/docs/concepts/policy/pod-security-policy

Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Compliance Frameworks

  • Kubernetes v.1.14 CloudGuard Best Practices

Updated 7 months ago