Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used

An XCCDF Rule

Description

Instead of using a customized SecurityContext for pods, a Pod Security Policy (PSP) or a SecurityContextConstraint should be used. These are cluster-level resources that control the actions that a pod can perform and what resource the pod may access. The SecurityContextDeny disallows folks from setting a pod's securityContext fields. Ensure that the list of admission controllers does not include SecurityContextDeny:

$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '.data."config.yaml"' | jq '.apiServerArguments."enable-admission-plugins"'

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}} and persist it to the local /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145 file.

Rationale

The SecurityContextDeny admission control plugin disallows setting any security options for your pods. SecurityContextConstraints allow you to enforce RBAC rules on who can set these options on the pods, and what they're allowed to set. Thus, using the SecurityContextDeny will deter you from enforcing granular permissions on your pods.

ID: xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_securitycontextdeny
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

SRG-APP-000516-CTR-001325

1.2.13

CCE-83586-8
Updated: about 1 year ago