CNTR-K8-002001 - Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.

Information

PodSecurity admission controller is a component that validates and enforces security policies for pods running within a Kubernetes cluster. It is responsible for evaluating the security context and configuration of pods against defined policies.

To enable PodSecurity admission controller on Static Pods (kube-apiserver, kube-controller-manager, or kube-schedule), the argument '--feature-gates=PodSecurity=true' must be set.

To enable PodSecurity admission controller on Kubelets, the featureGates PodSecurity=true argument must be set.

(Note: The PodSecurity feature gate is GA as of v1.25.)

Solution

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

Ensure the argument '--feature-gates=PodSecurity=true' is present in each manifest file.

On each Control Plane and Worker Node, run the command:
ps -ef | grep kubelet

Remove the '--feature-gates' option if present.

Note the path to the config file (identified by --config).

Edit the Kubernetes Kubelet config file:
Add a 'featureGates' setting if one does not yet exist. Add the feature gate 'PodSecurity=true'.

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R2_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-16a., CAT|I, CCI|CCI-002263, Rule-ID|SV-254801r961359_rule, STIG-ID|CNTR-K8-002001, Vuln-ID|V-254801

Plugin: Unix

Control ID: e0cf90c30593bafb33236759138b93474c6049212d3f63352c707a71635b73ef