lacework-global-750

Minimize the admission of privileged containers (Automated)

Description

Do not generally permit the running of containers with the securityContext.privileged flag set to true.

Remediation

Add policies to each namespace in the cluster which has user workloads to restrict the admission of privileged containers.

To enable Pod Security Admission (PSA) for a namespace in the cluster, assign a value of "restricted" to the pod-security.kubernetes.io/enforce label.

kubectl label --overwrite ns <namespace> pod-security.kubernetes.io/enforce=restricted

You can enable Pod Security Admission for all namespaces using:

kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline

References

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
https://kubernetes.io/docs/concepts/containers/
https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/

Minimize the admission of privileged containers (Automated)​

Description​

Remediation​

References​

Minimize the admission of privileged containers (Automated)

Description

Remediation

References