Minimize the admission of primary group ID the containers are run with (PSP)

Controls which primary group ID the containers are run with. Do not generally permit primary groups to be run as root. If you need to run root primary groups, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.

Risk Level: High
Cloud Entity: Pod Security Policies
CloudGuard Rule ID: D9.K8S.IAM.41
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


KubernetesPodSecurityPolicy should have spec.runAsGroup.rule='MustRunAs' and spec.runAsGroup.ranges contain [ min>0 ]


Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsGroup.rule is set to MustRunAs with the range of UIDs not including 0.



Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Compliance Frameworks

  • Kubernetes v.1.14 CloudGuard Best Practices