Ensure the admission control plugin SecurityContextDeny is sSet if PodSecurityPolicy is not used
Error: The admission control plugin SecurityContextDeny is set if PodSecurityPolicy is used
Bridgecrew Policy ID: BC_K8S_58
Checkov Check ID: CKV_K8S_81
Severity: LOW
The admission control plugin SecurityContextDeny is set if PodSecurityPolicy is used
Description
The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.
SecurityContextDeny can be used to provide a layer of security for clusters which do not have PodSecurityPolicies enabled.
Fix - Buildtime
Kubernetes
- Kind: Pod
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --enable-admission-plugins=SecurityContextDeny
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
...
Updated 10 months ago