Pod security policy admission control plugin not set
This product is not supported for your selected
Datadog site. (
).
Id: afa36afb-39fe-4d94-b9b6-afb236f7a03d
Cloud Provider: Kubernetes
Platform: Kubernetes
Severity: High
Category: Build Process
Learn More
Description
When a kube-apiserver container is present (in containers or initContainers), the --enable-admission-plugins flag should include PodSecurityPolicy. The rule inspects the container command for kube-apiserver and reports a MissingAttribute if the flag does not contain PodSecurityPolicy. The admission control configuration file should also be correctly configured to enable the plugin.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--enable-admission-plugins=PodSecurityPolicy", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver","--enable-admission-plugins=PodSecurityPolicy", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
args: []
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--enable-admission-plugins=AlwaysAdmit"]
restartPolicy: OnFailure
