Without an active policy control mechanism, it is not possible to limit the use of containers with access to underlying cluster nodes, via mechanisms like privileged containers, or the use of hostPath volume mounts.
MutatingWebhookConfiguration, Namespace, ValidatingWebhookConfiguration
Checks that every namespace enabled pod security admission, or if there are external policies applied for namespaced resources (validating/mutating webhooks)
Pod Security Admission is enabled by default on all clusters using Kubernetes 1.23 or higher. To assess what controls, if any, are in place using this mechanism, review the namespaces in the cluster to see if therequired labels have been applied
kubectl get namespaces -o yaml
To confirm if any external policy control system is in use, review the cluster for the presence of
kubectl get validatingwebhookconfigurations
kubectl get mutatingwebhookconfigurations
Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.
Where policy control systems are in place, there is a risk that workloads required for the operation of the cluster may be stopped from running. Care is required when implementing admission control policies to ensure that this does not occur.
By default, Pod Security Admission is enabled but no policies are in place.
Updated 6 days ago