Pod Security Policy should be used to prevent privileged containers where possible and enforce namespace and workload configurations. Rationale: A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. A PodSecurityPolicy object defines a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields. When a request to create or update a Pod does not meet the conditions in the Pod Security Policy, that request is rejected and an error is returned. The Pod Security Policy admission controller validates requests against available Pod Security Policies. PodSecurityPolicies specify a list of restrictions, requirements, and defaults for Pods created under the policy. See further details on recommended policies in Recommendation section 5.2. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using Google Cloud Console There is no means of enabling the Pod Security Policy Admission controller on an existing or new cluster from the console. Using Command Line To enable Pod Security Policy for an existing cluster, run the following command: gcloud beta container clusters update [CLUSTER_NAME] \ --zone [COMPUTE_ZONE] \ --enable-pod-security-policy Impact: If you enable the Pod Security Policy controller without first defining and authorizing any actual policies, no users, controllers, or service accounts can create or update Pods. If you are working with an existing cluster, you should define and authorize policies before enabling the controller. Default Value: By default, Pod Security Policy is disabled.