Skip to content

Implement Pod Security Standards ruleset #754

Description

@AleksandarSavchev

What would you like to be added:

A new Pod Security Standards ruleset should be implemented for the managedK8s provider. This ruleset checks pods running in a managed Kubernetes cluster against the Kubernetes Pod Security Standards. The ruleset should implement the Baseline and Restricted profiles as described in the official Kubernetes documentation.

Baseline Profile

The Baseline profile prevents known privilege escalations and covers the following controls:

  • HostProcess (Windows)
  • Host Namespaces (hostNetwork, hostPID, hostIPC)
  • Privileged Containers
  • Capabilities (restrict to safe set)
  • HostPath Volumes
  • Host Ports
  • AppArmor
  • SELinux
  • /proc Mount Type
  • Seccomp
  • Sysctls

Restricted Profile

The Restricted profile enforces current Pod hardening best practices and includes all Baseline controls plus:

  • Volume Types (only configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, secret allowed)
  • Privilege Escalation (allowPrivilegeEscalation must be false)
  • Running as Non-Root (runAsNonRoot must be true)
  • Running as Non-Root User (runAsUser must not be 0)

Why is this needed:

Pod Security Standards are the official Kubernetes mechanism for defining security constraints at the pod level. Implementing them as a diki ruleset enables automated compliance checking for managed Kubernetes clusters, covering common security observations such as missing readOnlyRootFilesystem, unrestricted allowPrivilegeEscalation, missing capabilities restrictions, runAsNonRoot not enforced, and use of privileged, hostNetwork, or hostPID.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementEnhancement, improvement, extension

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions