Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.
An XCCDF Rule
Description
<VulnDiscussion>PodSecurity admission controller is a component that validates and enforces security policies for pods running within a Kubernetes cluster. It is responsible for evaluating the security context and configuration of pods against defined policies. To enable PodSecurity admission controller on Static Pods (kube-apiserver, kube-controller-manager, or kube-schedule), the argument "--feature-gates=PodSecurity=true" must be set. To enable PodSecurity admission controller on Kubelets, the featureGates PodSecurity=true argument must be set. (Note: The PodSecurity feature gate is GA as of v1.25.)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-254801r961359_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command:
grep -i feature-gates *
Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file.
On each Control Plane and Worker Node, run the command: