C-0068 - PSP enabled

PSP enabled

Note: this control relevant for cloud managed Kubernetes cluster


ArmoBest, NSA, MITRE, AllControls



Description of the the issue

Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.

Related resources


What does this control test

Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled


Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans


No example