N/A
Source
Kube Bench
ID
4.2
Version
gke-1.2.0

4.2 Pod Security Policies

4.2.1 Minimize the admission of privileged containers (Automated)

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.

4.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Automated)

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.

4.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Automated)

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.

4.2.4 Minimize the admission of containers wishing to share the host network namespace (Automated)

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.

4.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated)

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.

4.2.6 Minimize the admission of root containers (Automated)

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.

4.2.7 Minimize the admission of containers with the NET_RAW capability (Automated)

Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.

4.2.8 Minimize the admission of containers with added capabilities (Automated)

Ensure that allowedCapabilities is not present in PSPs for the cluster unless it is set to an empty array.

4.2.9 Minimize the admission of containers with capabilities assigned (Manual)

Review the use of capabilites in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities.