Best practices

K8S API server configuration without SecurityContextDeny admissions control plugin

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

It was found that the API server configuration admission control plugins parameter does not include 'PodSecurityPolicy' and 'SecurityContextDeny'. An admission controller is a code which being executed after the request authentication and authorization in order to validate it or change it. This admission controller deny any pod that attempts to set escalating security context fields.
  • Recommended Mitigation

    It is recommended to include the SecurityContextDeny plugin if the PodSecurityPolicy is not enabled in the '--enable-admission-plugins' parameter.