Benchmark: 5.2 Pod Security Policies
Description
A Pod Security Policy (PSP) is a cluster-level resource that controls security settings for pods. Your cluster may have multiple PSPs. You can query PSPs with the following `kubectl get psp`. PodSecurityPolicies are used in conjunction with the PodSecurityPolicy admission controller plugin.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 5.2 Pod Security Policies.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.cis_kube_v120_v100_5_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.cis_kube_v120_v100_5_2 --share
Controls
- 5.2.1 Minimize the admission of privileged containers
- 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace
- 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace
- 5.2.4 Minimize the admission of containers wishing to share the host network namespace
- 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation
- 5.2.6 Minimize the admission of root containers