Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - RedHat 1.0 > Kubernetes Policies >

Pod Security Policies

N/A
Source
Kube Bench
ID
5.2
Version
rh-1.0

5.2 Pod Security Policies

5.2.1 Minimize the admission of privileged containers (Manual)

Create a SCC as described in the OpenShift documentation, ensuring that the Allow Privileged field is set to false.

5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Manual)

Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host PID field is set to false.

5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Manual)

Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host IPC field is set to false.

5.2.4 Minimize the admission of containers wishing to share the host network namespace (Manual)

Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host Network field is omitted or set to false.

5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Manual)

Create a SCC as described in the OpenShift documentation, ensuring that the Allow Privilege Escalation field is omitted or set to false.

5.2.6 Minimize the admission of root containers (Manual)

None required. By default, OpenShift includes the non-root SCC with the the Run As User Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs.

5.2.7 Minimize the admission of containers with the NET_RAW capability (Manual)

Create a SCC as described in the OpenShift documentation, ensuring that the Required Drop Capabilities is set to include either NET_RAW or ALL.

5.2.8 Minimize the admission of containers with added capabilities (Manual)

Ensure that Allowed Capabilities is set to an empty array for every SCC in the cluster except for the privileged SCC.

5.2.9 Minimize the admission of containers with capabilities assigned (Manual)

Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a SCC which forbids the admission of containers which do not drop all capabilities.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use