Admission control plugin SecurityContextDeny is set if PodSecurityPolicy is disabled

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

1.2.13

Set up the kubernetes integration.

Description

The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.

Rationale

SecurityContextDeny can be used to provide a layer of security for clusters which do not have PodSecurityPolicies enabled.

Audit

Run the following command on the master node:

ps -ef | grep kube-apiserver

Verify the --enable-admission-plugins argument is set to a value that includes SecurityContextDeny, if PodSecurityPolicy is not included.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the –enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place. –enable-admission-plugins=…,SecurityContextDeny,…

Impact

This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies

Default value

By default, SecurityContextDeny is not set.

References

  1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#securitycontextdeny 3. https://kubernetes.io/docs/user-guide/pod-security-policy/#working-with-rbac

CIS controls

Version 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.