GCP Kubernetes Engine Clusters have pod security policy disabled
Description
PodSecurityPolicy is an admission controller resource created to validate requests to create and update Pods on your cluster. The PodSecurityPolicy defines a set of conditions that Pods must meet to be accepted by the cluster. When a request to create or update a Pod does not meet the conditions in the PodSecurityPolicy, that request is rejected and an error is returned. We recommend you enable PodSecurityPolicy Controller on Kubernetes engine clusters.
Code Example
pod_security_policy_config {
enabled = true
}Remediation
- Gcloud CLI To update the cluster to enable the PodSecurityPolicy Controller, use this command:*
gcloud beta container clusters update cluster-name --enable-pod-security-policy
More information at: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies?hl=en [https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies] === Fix - Buildtime
Terraform
First, be sure to have the google-beta provider setup in the google_container_cluster, then add the following block of code:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0883 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_24 |