1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage - clusterrolebinding

Information

Use Pod Security Policies (PSP) and RBAC authorization to mitigate the risk arising from using privileged containers.

Rationale:

A number of components used by Kubernetes clusters currently make use of privileged containers (e.g. Container Network Interface plugins). Privileged containers pose a risk to the underlying host infrastructure. You should use PSP and RBAC or other forms of authorization to mitigate the risk arising out of such privileged container usage. PSPs should be in place to restrict access to create privileged containers to specific roles only, and access to those roles should be restricted using RBAC role bindings.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.

Impact:

You need to carefully tune your PSP and RBAC authorization policy to provide minimal access to the components and various accounts.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|5

Plugin: Unix

Control ID: 03b111cd3f93462adbe83cbdd29d325a1cb2899f14c16a5e3e59c206caf45aec