Minimize the admission of SupplementalGroups in containers (PSP)

Controls which group IDs containers add. Do not generally permit supplemental groups to be run as root. If you need to run root supplemental groups, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.

Risk Level: High
Cloud Entity: Pod Security Policies
CloudGuard Rule ID: D9.K8S.IAM.42
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesPodSecurityPolicy should have spec.supplementalGroups.rule='MustRunAs' and spec.supplementalGroups.ranges contain [ min>0 ]

REMEDIATION

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.supplementalGroups.rule is set to MustRunAs with the range of UIDs not including 0.

References

  1. https://kubernetes.io/docs/concepts/policy/pod-security-policy

Pod Security Policies

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

Compliance Frameworks

  • Kubernetes v.1.14 CloudGuard Best Practices