C-0242 - Hostile multi-tenant workloads

Framework

cis-eks-t1.2.0, cis-aks-t1.2.0

Severity

Medium

Description of the the issue

Related resources

What does this control test

Currently, Kubernetes environments aren't safe for hostile multi-tenant usage. Extra security features, like Pod Security Policies or Kubernetes RBAC for nodes, efficiently block exploits. For true security when running hostile multi-tenant workloads, only trust a hypervisor. The security domain for Kubernetes becomes the entire cluster, not an individual node.

For these types of hostile multi-tenant workloads, you should use physically isolated clusters. For more information on ways to isolate workloads, see Best practices for cluster isolation in AKS.

How to check it manually

Remediation

Impact Statement

Default Value

Example

No example