-
Notifications
You must be signed in to change notification settings - Fork 16
/
data.yaml
36 lines (33 loc) · 1.78 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
metadata:
id: aa4374f0-adab-580c-ac9d-907fd2783219
name: Minimize the admission of root containers
profile_applicability: '* Level 2 - Master Node'
description: Do not generally permit containers to be run as the root user.
rationale: |-
Containers may run as any Linux user.
Containers which run as the root user, whilst constrained by Container Runtime security features still have a escalated likelihood of container breakout.
Ideally, all containers should run as a defined non-UID 0 user.
There should be at least one admission control policy defined which does not permit root containers.
If you need to run root containers, this should be defined in a separate policy and you should carefully check to ensure that only limited service accounts and users are given permission to use that policy.
audit: |-
List the policies in use for each namespace in the cluster, ensure that each policy restricts the use of root containers by setting `MustRunAsNonRoot` or `MustRunAs` with the range of UIDs not including 0.
remediation: |-
Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot` or `MustRunAs` with the range of UIDs not including 0, is set.
impact: Pods with containers which run as the root user will not be permitted.
default_value: |
By default, there are no restrictions on the use of root containers and if a User is not
specified in the image, the container will run as root.
references: 1. https://kubernetes.io/docs/concepts/security/pod-security-standards/
section: Pod Security Standards
version: '1.0'
tags:
- CIS
- Kubernetes
- CIS 5.2.7
- Pod Security Standards
benchmark:
name: CIS Kubernetes V1.23
version: v1.0.1
id: cis_k8s
rule_number: 5.2.7
posture_type: kspm