1.1.13 Ensure that the admission control plugin SecurityContextDeny is set

Information

Restrict pod level SecurityContext customization. Instead of using a customized SecurityContext for your pods, use a Pod Security Policy (PSP), which is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access.

Rationale:

Setting admission control policy to SecurityContextDeny denies the pod level SecurityContext customization. Any attempts to customize the SecurityContexts that are not explicitly defined in the Pod Security Policy (PSP) are blocked. This ensures that all the pods adhere to the PSP defined by your organization and you have a uniform pod level security posture.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to include SecurityContextDeny.

--enable-admission-plugins=...,SecurityContextDeny,...

Impact:

None

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|5.1

Plugin: Unix

Control ID: fdb392c201bc685fece4f05d5e3f4262ac2a0ee962843db8de7dc5097d267e5c