1.1.25 Ensure that the admission control policy is set to PodSecurityPolicy

Information

Reject creating pods that do not match Pod Security Policies.

Rationale:

A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The `PodSecurityPolicy` objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.

Solution

Follow the documentation and create Pod Security Policy objects as per your environment. Then, edit the `/etc/kubernetes/apiserver` file on the master node and set the `KUBE_ADMISSION_CONTROL` parameter to `'--admission-control=...,PodSecurityPolicy,...'`: `KUBE_ADMISSION_CONTROL='--admission-control=...,PodSecurityPolicy,...'`

Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

The policy objects must be created and granted before pod creation would be allowed.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: 65685e4271e9647694cb31a2e23990acff8013ad117234c00a542254a98c0f0a