1.1.12 Ensure that the admission control policy is set to SecurityContextDeny

Information

Restrict pod level SecurityContext customization. Instead of using a customized SecurityContext for your pods, use a Pod Security Policy (PSP), which is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access.

Rationale:

Setting admission control policy to 'SecurityContextDeny' denies the pod level SecurityContext customization. Any attempts to customize the SecurityContexts that are not explicitly defined in the Pod Security Policy (PSP) are blocked. This ensures that all the pods adhere to the PSP defined by your organization and you have a uniform pod level security posture.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--admission-control' parameter to include 'SecurityContextDeny'.

--admission-control=...,SecurityContextDeny,...

Impact:

None

See Also

https://workbench.cisecurity.org/files/1788

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|5.1

Plugin: Unix

Control ID: 9dc30717a5f7aa7dd8e3296206900c4cc71db1a032bfbe1533e755d35fcfcc8a