Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.

An XCCDF Rule

Description

PodSecurity admission controller is a component that validates and enforces security policies for pods running within a Kubernetes cluster. It is responsible for evaluating the security context and configuration of pods against defined policies. To enable PodSecurity admission controller on Static Pods (kube-apiserver, kube-controller-manager, or kube-schedule), the argument "--feature-gates=PodSecurity=true" must be set. To enable PodSecurity admission controller on Kubelets, the featureGates PodSecurity=true argument must be set. (Note: The PodSecurity feature gate is GA as of v1.25.)

ID: SV-254801r961359_rule
Version: CNTR-K8-002001
Severity: High
References: CCI-002263
Updated: 15 days ago

Remediation Templates

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *

Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file.

On each Control Plane and Worker Node, run the command:ps -ef | grep kubelet

Remove the "--feature-gates" option if present.

Note the path to the config file (identified by --config).

Edit the Kubernetes Kubelet config file: 
Add a "featureGates" setting if one does not yet exist. Add the feature gate "PodSecurity=true".

Restart the kubelet service using the following command:
systemctl daemon-reload && systemctl restart kubelet

Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.

Description

Remediation Templates

A Manual Procedure