Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS 1.6 K3s > Kubernetes Policies >

Pod Security Policies

N/A
Source
Kube Bench
ID
5.2
Version
cis-1.6-k3s

5.2 Pod Security Policies

5.2.1 Minimize the admission of privileged containers (Manual)

kubectl describe psp <psp_name> | grep MustRunAsNonRoot An operator should apply a PodSecurityPolicy that sets the Rule value to MustRunAsNonRoot. An example of this can be found in the Hardening Guide https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Manual)

kubectl get psp -o json | jq .items[] | jq -r ‘select((.spec.hostPID == null) or (.spec.hostPID == false))’ | jq .metadata.name | wc -l | xargs -I {} echo ‘–count={}’ An operator should apply a PodSecurityPolicy that sets the hostPID value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Manual)

kubectl get psp -o json | jq .items[] | jq -r ‘select((.spec.hostIPC == null) or (.spec.hostIPC == false))’ | jq .metadata.name | wc -l | xargs -I {} echo ‘–count={}’ An operator should apply a PodSecurityPolicy that sets the HostIPC value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.4 Minimize the admission of containers wishing to share the host network namespace (Manual)

kubectl get psp -o json | jq .items[] | jq -r ‘select((.spec.hostNetwork == null) or (.spec.hostNetwork == false))’ | jq .metadata.name | wc -l | xargs -I {} echo ‘–count={}’ An operator should apply a PodSecurityPolicy that sets the HostNetwork value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Manual)

kubectl get psp -o json | jq .items[] | jq -r ‘select((.spec.allowPrivilegeEscalation == null) or (.spec.allowPrivilegeEscalation == false))’ | jq .metadata.name | wc -l | xargs -I {} echo ‘–count={}’ An operator should apply a PodSecurityPolicy that sets the allowPrivilegeEscalation value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.6 Minimize the admission of root containers (Manual)

kubectl get psp -o json | jq .items[] | jq -r ‘select((.spec.allowPrivilegeEscalation == null) or (.spec.allowPrivilegeEscalation == false))’ | jq .metadata.name | wc -l | xargs -I {} echo ‘–count={}’ An operator should apply a PodSecurityPolicy that sets the runAsUser.Rule value to MustRunAsNonRoot. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.7 Minimize the admission of containers with the NET_RAW capability (Manual)

kubectl get psp <psp_name> -o json | jq .spec.requiredDropCapabilities[] An operator should apply a PodSecurityPolicy that sets .spec.requiredDropCapabilities[] to a value of All. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.8 Minimize the admission of containers with added capabilities (Manual)

kubectl get psp An operator should apply a PodSecurityPolicy that sets allowedCapabilities to anything other than an empty array. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

5.2.9 Minimize the admission of containers with capabilities assigned (Manual)

kubectl get psp An operator should apply a PodSecurityPolicy that sets requiredDropCapabilities to ALL. An example of this can be found in the Hardening Guide. https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use