CIS-5.2.1 - Ensure that the cluster has at least one active policy control mechanism in place

Ensure that the cluster has at least one active policy control mechanism in place

Framework

CIS

Severity

Medium

Description of the the issue

Without an active policy control mechanism, it is not possible to limit the use of containers with access to underlying cluster nodes, via mechanisms like privileged containers, or the use of hostPath volume mounts.

Related resources

MutatingWebhookConfiguration, Namespace, ValidatingWebhookConfiguration

What does this control test

Checks that every namespace enabled pod security admission, or if there are external policies applied for namespaced resources (validating/mutating webhooks)

How to check it manually

Pod Security Admission is enabled by default on all clusters using Kubernetes 1.23 or higher. To assess what controls, if any, are in place using this mechanism, review the namespaces in the cluster to see if therequired labels have been applied

kubectl get namespaces -o yaml

To confirm if any external policy control system is in use, review the cluster for the presence of validatingadmissionwebhook and mutatingadmissionwebhook objects.

kubectl get validatingwebhookconfigurations

kubectl get mutatingwebhookconfigurations

Remediation

Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.

Impact Statement

Where policy control systems are in place, there is a risk that workloads required for the operation of the cluster may be stopped from running. Care is required when implementing admission control policies to ensure that this does not occur.

Default Value

By default, Pod Security Admission is enabled but no policies are in place.

Example

No example