lacework-global-747

Minimize access to create pods in Roles (Automated)

Description

The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless you implement Pod Security Policies to restrict this access). As such, you should restrict access to create new pods to the smallest possible group of users.

Remediation

Where possible, remove create access to pod objects in the cluster.

References

https://kubernetes.io/docs/concepts/security/rbac-good-practices/#workload-creation

Minimize access to create pods in Roles (Automated)​

Description​

Remediation​

References​

Minimize access to create pods in Roles (Automated)

Description

Remediation

References