1.1.11 Ensure that the admission control policy is set to DenyEscalatingExec

Information

Deny execution of 'exec' and 'attach' commands in privileged pods.

Rationale:

Setting admission control policy to 'DenyEscalatingExec' denies 'exec' and 'attach' commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--admission-control' parameter to a value that includes 'DenyEscalatingExec'.

--admission-control=...,DenyEscalatingExec,...

Impact:

'exec' and 'attach' commands will not work in privileged pods.

See Also

https://workbench.cisecurity.org/files/1788

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: 7f551277f896b2d22188650597e498d7f399dc0014cb0c2bed156bf41fde938b