Risk Level: High
Cloud Entity: Pod Security Policies
CloudGuard Rule ID: D9.K8S.IAM.42
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
KubernetesPodSecurityPolicy should have spec.supplementalGroups.rule='MustRunAs' and spec.supplementalGroups.ranges contain [ min>0 ]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.supplementalGroups.rule is set to MustRunAs with the range of UIDs not including 0.
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.
- Kubernetes v.1.14 CloudGuard Best Practices
Updated 4 days ago