Ensure the admission control plugin PodSecurityPolicy is set

Error: The admission control plugin PodSecurityPolicy is not set

Bridgecrew Policy ID: BC_K8S_61
Checkov Check ID: CKV_K8S_84
Severity: LOW

The admission control plugin PodSecurityPolicy is not set

Description

Reject creating pods that do not match Pod Security Policies.
A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.

📘

Note

When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 5.2 for recommendations on PodSecurityPolicy settings.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --enable-admission-plugins=PodSecurityPolicy
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...