Details
Deny execution of exec and attach commands in privileged pods.
Rationale:
Setting admission control policy to DenyEscalatingExec denies exec and attach commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace.
Solution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the –enable-admission-plugins parameter to a value that includes DenyEscalatingExec.
–enable-admission-plugins=…,DenyEscalatingExec,…
Impact:
‘exec’ and ‘attach’ commands will not work in privileged pods.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.