The following items are checked for this benchmark item:
In practical terms, these best practices may not apply to each and every pod being deployed in the system. When deployed on our Kubernetes cluster, we will use this as the default policy across the cluster, and will selectively grant permissions on a targeted basis.
This benchmark requires that Kubernetes PodSecurityPolicies be enforced for all pods running in the system. The following diagram shows the basic pod security policy configuration data model:
Practically, we may have some pods that will require some elevated permissions, but most will not. To cater to the requirements, let us define two basic pod security policies:
#security #kubernetes #containers #podsecuritypolicies