Ensure PodSecurityPolicy controller is enabled on Kubernetes engine clusters
Error: PodSecurityPolicy controller is not enabled on Kubernetes engine clusters
Bridgecrew Policy ID: BC_GCP_KUBERNETES_9
Checkov Check ID: CKV_GCP_24
Severity: LOW
PodSecurityPolicy controller is not enabled on Kubernetes engine clusters
Description
PodSecurityPolicy is an admission controller resource created to validate requests to create and update Pods on your cluster. The PodSecurityPolicy defines a set of conditions that Pods must meet to be accepted by the cluster. When a request to create or update a Pod does not meet the conditions in the PodSecurityPolicy, that request is rejected and an error is returned.
We recommend you enable PodSecurityPolicy Controller on Kubernetes engine clusters.
Fix - Runtime
Gcloud CLI
To update the cluster to enable the PodSecurityPolicy Controller, use this command:
gcloud beta container clusters update cluster-name --enable-pod-security-policy
More information at: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies
Fix - Buildtime
Terraform
First, be sure to have the google-beta provider setup in the google_container_cluster, then add the following block of code:
pod_security_policy_config {
enabled = true
}
More information at: https://www.terraform.io/docs/providers/google/r/container_cluster.html#pod_security_policy_config
Updated 4 months ago