Benchmark: Pod Security Policy
Description
This section contains recommendations for configuring Pod Security Policy resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Pod Security Policy.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.all_controls_pod_security_policySnapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.all_controls_pod_security_policy --shareControls
- Pod Security Policy should prohibit hostPaths volumes
- Pod Security Policy should prohibit containers to run with privilege access
- Pod Security Policy should prohibit privilege escalation
- Seccomp profile is set to docker/default in Pod security policy
- Pod Security Policy should prohibit host network access
- Minimize the admission of containers wishing to share the host IPC namespace
- Pod Security Policy should prohibit containers from sharing the host process namespaces
- Minimize the admission of containers wishing to share the host process ID namespace
- Pod Security Policy should force containers to run with read-only root file system
- Pod Security Policy should prohibit containers from running as root
- Containerized applications should use security services such as SELinux or AppArmor or Seccomp