Ensure PodSecurityPolicy controller is enabled on Kubernetes engine clusters

Error: PodSecurityPolicy controller is not enabled on Kubernetes engine clusters

Bridgecrew Policy ID: BC_GCP_KUBERNETES_9
Checkov Check ID: CKV_GCP_24
Severity: LOW

PodSecurityPolicy controller is not enabled on Kubernetes engine clusters


PodSecurityPolicy is an admission controller resource created to validate requests to create and update Pods on your cluster. The PodSecurityPolicy defines a set of conditions that Pods must meet to be accepted by the cluster. When a request to create or update a Pod does not meet the conditions in the PodSecurityPolicy, that request is rejected and an error is returned.

We recommend you enable PodSecurityPolicy Controller on Kubernetes engine clusters.

Fix - Runtime

Gcloud CLI

To update the cluster to enable the PodSecurityPolicy Controller, use this command:

gcloud beta container clusters update cluster-name --enable-pod-security-policy

More information at: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies

Fix - Buildtime


First, be sure to have the google-beta provider setup in the google_container_cluster, then add the following block of code:

pod_security_policy_config {
    enabled = true

More information at: https://www.terraform.io/docs/providers/google/r/container_cluster.html#pod_security_policy_config