What would you like to be added:
A new Pod Security Standards ruleset should be implemented for the managedK8s provider. This ruleset checks pods running in a managed Kubernetes cluster against the Kubernetes Pod Security Standards. The ruleset should implement the Baseline and Restricted profiles as described in the official Kubernetes documentation.
Baseline Profile
The Baseline profile prevents known privilege escalations and covers the following controls:
- HostProcess (Windows)
- Host Namespaces (hostNetwork, hostPID, hostIPC)
- Privileged Containers
- Capabilities (restrict to safe set)
- HostPath Volumes
- Host Ports
- AppArmor
- SELinux
- /proc Mount Type
- Seccomp
- Sysctls
Restricted Profile
The Restricted profile enforces current Pod hardening best practices and includes all Baseline controls plus:
- Volume Types (only configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, secret allowed)
- Privilege Escalation (allowPrivilegeEscalation must be false)
- Running as Non-Root (runAsNonRoot must be true)
- Running as Non-Root User (runAsUser must not be 0)
Why is this needed:
Pod Security Standards are the official Kubernetes mechanism for defining security constraints at the pod level. Implementing them as a diki ruleset enables automated compliance checking for managed Kubernetes clusters, covering common security observations such as missing readOnlyRootFilesystem, unrestricted allowPrivilegeEscalation, missing capabilities restrictions, runAsNonRoot not enforced, and use of privileged, hostNetwork, or hostPID.
What would you like to be added:
A new
Pod Security Standardsruleset should be implemented for themanagedK8sprovider. This ruleset checks pods running in a managed Kubernetes cluster against the Kubernetes Pod Security Standards. The ruleset should implement the Baseline and Restricted profiles as described in the official Kubernetes documentation.Baseline Profile
The Baseline profile prevents known privilege escalations and covers the following controls:
Restricted Profile
The Restricted profile enforces current Pod hardening best practices and includes all Baseline controls plus:
Why is this needed:
Pod Security Standards are the official Kubernetes mechanism for defining security constraints at the pod level. Implementing them as a diki ruleset enables automated compliance checking for managed Kubernetes clusters, covering common security observations such as missing
readOnlyRootFilesystem, unrestrictedallowPrivilegeEscalation, missing capabilities restrictions,runAsNonRootnot enforced, and use ofprivileged,hostNetwork, orhostPID.