CIS Kubernetes Benchmark 1.5.1 # 5.2

[saurabhpandit]

5.2 Pod Security Policies

• 5.2.1 Minimize the admission of privileged containers
• 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace
• 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace
• 5.2.4 Minimize the admission of containers wishing to share the host network namespace
• 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation
• 5.2.6 Minimize the admission of root containers
• 5.2.7 Minimize the admission of containers with the NET_RAW capability
• 5.2.8 Minimize the admission of containers with added capabilities
• 5.2.9 Minimize the admission of containers with capabilities assigned

[issue-label-bot]

Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.85. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

[xunholy]

5.2.1 Minimize the admission of privileged containers

This policy has been completed by virtue of the KubeSec benchmark https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.05.rego

Even though there is double up might be worth just using this existing one and creating a new file with the same content essentially for when we push to OCI registry

[xunholy]

Same situation with the following:

5.2.2 Minimize the admission of containers wishing to share the host process ID namespace

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.12.rego

5.2.3 Minimize the admission of containers wishing to share the host IPC namespace

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.10.rego

5.2.4 Minimize the admission of containers wishing to share the host network namespace

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.11.rego

5.2.5 Minimize the admission of containers with allowPrivilegeEscalation

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.15.rego

capabilities may also have some slight overlap.

[issue-label-bot]

Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.75. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.