Skip to content

The admission control plugin SecurityContextDeny is set if PodSecurityPolicy is used

Description

The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.
SecurityContextDeny can be used to provide a layer of security for clusters which do not have PodSecurityPolicies enabled.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --enable-admission-plugins=SecurityContextDeny
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...