C-0124 - Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
SecurityContextDeny can be used to provide a layer of security for clusters which do not have PodSecurityPolicies enabled.
Related resources
Pod
What does this control test
The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --enable-admission-plugins
argument is set to a value that includes SecurityContextDeny
, if PodSecurityPolicy
is not included.
Remediation
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the Control Plane node and set the --enable-admission-plugins
parameter to include SecurityContextDeny
, unless PodSecurityPolicy
is already in place.
--enable-admission-plugins=...,SecurityContextDeny,...
Impact Statement
This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies
Default Value
By default, SecurityContextDeny
is not set.
Example
No example
Updated 11 days ago