lacework-global-334

info

This rule also encompasses lacework-global-664. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

4.1.4 Minimize access to create pods in ClusterRoles (Automated)

note

This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 1

Description

The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless using Pod Security Policies to restrict this access).

As such, you should restrict access to create new pods to the smallest possible group of users.

Rationale

The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.

Impact

Care should be taken not to remove access to pods to system components which require this for their operation

Audit

Review the users who have create access to pod objects in the Kubernetes API.

Remediation

Where possible, remove create access to pod objects in the cluster.

4.1.4 Minimize access to create pods in ClusterRoles (Automated)​

Profile Applicability​

Description​

Rationale​

Impact​

Audit​

Remediation​