Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.44
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod where ((not name regexMatch /cp-resource-management/) and (not name regexMatch /flow-logs/) and (namespace != 'kube-system')) should not have spec.containers.securityContext.capabilities.add contain [ 'ALL' ] or spec.containers.securityContext.capabilities.add contain [ 'SYS_ADMIN' ] or spec.containers.securityContext.capabilities.add contain [ 'NET_ADMIN' ] or spec.initContainers.securityContext.capabilities.add contain [ 'ALL' ] or spec.initContainers.securityContext.capabilities.add contain [ 'SYS_ADMIN' ] or spec.initContainers.securityContext.capabilities.add contain [ 'NET_ADMIN' ]

REMEDIATION

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include SYS_ADMIN, NET_ADMIN or ALL.

References

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes. A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

Kubernetes v.1.14 CloudGuard Best Practices