lacework-global-334
info
This rule also encompasses lacework-global-664. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
4.1.4 Minimize access to create pods (Automated)
note
This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access)
As such, access to create new pods should be restricted to the smallest possible group of users.
Rationale
The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.
Impact
Care should be taken not to remove access to pods to system components which require this for their operation
Audit
Review the users who have create access to pod objects in the Kubernetes API.
Remediation
Where possible, remove create
access to pod
objects in the cluster.