N/A
Source
Kube Bench
ID
5.2
Version
cis-1.24

5.2 Pod Security Standards

5.2.1 Ensure that the cluster has at least one active policy control mechanism in place (Manual)

Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.

5.2.2 Minimize the admission of privileged containers (Manual)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.

5.2.3 Minimize the admission of containers wishing to share the host process ID namespace (Automated)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostPID containers.

5.2.4 Minimize the admission of containers wishing to share the host IPC namespace (Automated)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostIPC containers.

5.2.5 Minimize the admission of containers wishing to share the host network namespace (Automated)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of hostNetwork containers.

5.2.6 Minimize the admission of containers with allowPrivilegeEscalation (Automated)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.

5.2.7 Minimize the admission of root containers (Automated)

Create a policy for each namespace in the cluster, ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.

5.2.8 Minimize the admission of containers with the NET_RAW capability (Automated)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with the NET_RAW capability.

5.2.9 Minimize the admission of containers with added capabilities (Automated)

Ensure that allowedCapabilities is not present in policies for the cluster unless it is set to an empty array.

5.2.10 Minimize the admission of containers with capabilities assigned (Manual)

Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.

5.2.11 Minimize the admission of Windows HostProcess containers (Manual)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers that have .securityContext.windowsOptions.hostProcess set to true.

5.2.12 Minimize the admission of HostPath volumes (Manual)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers with hostPath volumes.

5.2.13 Minimize the admission of containers which use HostPorts (Manual)

Add policies to each namespace in the cluster which has user workloads to restrict the admission of containers which use hostPort sections.