Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.
Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of hostPID
containers.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of hostIPC
containers.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of hostNetwork
containers.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with .spec.allowPrivilegeEscalation
set to true
.
Create a policy for each namespace in the cluster, ensuring that either MustRunAsNonRoot
or MustRunAs
with the range of UIDs not including 0, is set.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with the NET_RAW
capability.
Ensure that allowedCapabilities
is not present in policies for the cluster unless
it is set to an empty array.
Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers that have .securityContext.windowsOptions.hostProcess
set to true
.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with hostPath
volumes.
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers which use hostPort
sections.