1.2.14 Ensure that the admission control plugin SecurityContextConstraint is set

Information

Reject creating pods that do not match Pod Security Policies.

Rationale:

A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are composed of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.

Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 5.2 for recommendations on PodSecurityPolicy settings.

Impact:

Default Security Context Constraint objects are present on the cluster and granted by default based on roles. Custom SCCs can be created and granted as needed.

Solution

None.

Default Value:

By default, the SecurityContextConstraints admission controller is configured and cannot be disabled.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-15, CSCv7|9.4

Plugin: OpenShift

Control ID: bde35033f2f863fd8b3e21157bc4097fa35c8b557df17f64e1a2890e61483984