5.1.4 Minimize access to create pods

Information

The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access)

As such, access to create new pods should be restricted to the smallest possible group of users.

Rationale:

The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.

Impact:

Care should be taken not to remove access to pods to system components which require this for their operation

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Where possible, remove create access to pod objects in the cluster.

Default Value:

By default in a kubeadm cluster the following list of principals have create privileges on pod objects

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|5.2

Plugin: OpenShift

Control ID: 88a0e5acea50747d6ccc1876d82b1ea56c3a0daac35158fce48bb31629cae8c1