Skip to main content

lacework-global-334

info

This rule also encompasses lacework-global-664. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.

4.1.4 Minimize access to create pods (Automated)

note

This rule has been changed to automated, see Automated Rules for CIS Amazon EKS 1.1.0 for details.

Profile Applicability

• Level 1

Description

The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access)

As such, access to create new pods should be restricted to the smallest possible group of users.

Rationale

The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.

Impact

Care should be taken not to remove access to pods to system components which require this for their operation

Audit

Review the users who have create access to pod objects in the Kubernetes API.

Remediation

Where possible, remove create access to pod objects in the cluster.