Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS Kubernetes Benchmark 1.5.1 # 5.2 #7

Open
5 of 9 tasks
saurabhpandit opened this issue Jun 10, 2020 · 4 comments
Open
5 of 9 tasks

CIS Kubernetes Benchmark 1.5.1 # 5.2 #7

saurabhpandit opened this issue Jun 10, 2020 · 4 comments
Labels
feature_request

Comments

@saurabhpandit
Copy link
Member

5.2 Pod Security Policies

  • 5.2.1 Minimize the admission of privileged containers
  • 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace
  • 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace
  • 5.2.4 Minimize the admission of containers wishing to share the host network namespace
  • 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation
  • 5.2.6 Minimize the admission of root containers
  • 5.2.7 Minimize the admission of containers with the NET_RAW capability
  • 5.2.8 Minimize the admission of containers with added capabilities
  • 5.2.9 Minimize the admission of containers with capabilities assigned
@issue-label-bot
Copy link

Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.85. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

@xunholy
Copy link
Member

xunholy commented Jun 16, 2020

5.2.1 Minimize the admission of privileged containers

This policy has been completed by virtue of the KubeSec benchmark https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.05.rego

Even though there is double up might be worth just using this existing one and creating a new file with the same content essentially for when we push to OCI registry

@xunholy
Copy link
Member

xunholy commented Jun 16, 2020
edited
Loading

Same situation with the following:

5.2.2 Minimize the admission of containers wishing to share the host process ID namespace

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.12.rego

5.2.3 Minimize the admission of containers wishing to share the host IPC namespace

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.10.rego

5.2.4 Minimize the admission of containers wishing to share the host network namespace

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.11.rego

5.2.5 Minimize the admission of containers with allowPrivilegeEscalation

https://github.com/raspbernetes/k8s-gitops/blob/master/policies/K.SEC.15.rego

capabilities may also have some slight overlap.

@xunholy xunholy transferred this issue from xunholy/k8s-gitops Jun 22, 2020
@issue-label-bot
Copy link

Issue-Label Bot is automatically applying the label feature_request to this issue, with a confidence of 0.75. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature_request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@saurabhpandit @xunholy