Details
Restrict pod level SecurityContext customization. Instead of using a customized SecurityContext for your pods, use a Pod Security Policy (PSP), which is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access.
Rationale:
Setting admission control policy to SecurityContextDeny denies the pod level SecurityContext customization. Any attempts to customize the SecurityContexts that are not explicitly defined in the Pod Security Policy (PSP) are blocked. This ensures that all the pods adhere to the PSP defined by your organization and you have a uniform pod level security posture.
Solution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the –enable-admission-plugins parameter to include SecurityContextDeny.
–enable-admission-plugins=…,SecurityContextDeny,…
Impact:
None
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.