lacework-global-750
Minimize the admission of privileged containers (Automated)
Description
Do not generally permit the running of containers with the securityContext.privileged
flag set to true.
Remediation
Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.
To enable Pod Security Admission (PSA) for a namespace in the cluster, assign a value of "restricted"
to the pod-security.kubernetes.io/enforce
label.
kubectl label --overwrite ns <namespace> pod-security.kubernetes.io/enforce=restricted
You can enable Pod Security Admission for all namespaces using:
kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline
References
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
https://kubernetes.io/docs/concepts/containers/
https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/