For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-security-context-deny-admission-control-plugin-not-set.md. A documentation index is available at /llms.txt.

Security context deny admission control plugin not set

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-security-context-deny-admission-control-plugin-not-set

Platform: Kubernetes

Severity: Medium

Category: Insecure Configurations

Learn More

Description

For kube-apiserver, the --enable-admission-plugins flag should include SecurityContextDeny when PodSecurityPolicy is not set. The SecurityContextDeny plugin must also be configured in the admission control configuration file. This ensures pod security constraints remain enforced when PodSecurityPolicy is disabled. The rule checks both containers and initContainers command lines for the presence of the flag and plugin.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--enable-admission-plugins=SecurityContextDeny", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver","--enable-admission-plugins=SecurityContextDeny", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
      args: []
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver","--enable-admission-plugins=PodSecurityPolicy", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
      args: []
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--enable-admission-plugins=AlwaysAdmit"]
  restartPolicy: OnFailure