C-0068 - PSP enabled

Prerequisites

Integrate with cloud provider (see here)

Framework

ArmoBest, MITRE, NSA, AllControls

Severity

Low

Description of the the issue

Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.

Related resources

Pod

What does this control test

Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled

Remediation

Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans

Example

No example