| Prior to version 1.21, to enforce security policiesPod Security Policies (psp) were used. Those are now deprecated and will be removed from version 1.25. |
Migrate from PSP to PSA:
Pre-version 1.25 Check:
On the Control Plane, run the command:
kubectl get podsecuritypolicy
If there is no pod security policy configured, this is a finding.
For any pod security policies listed, edit the policy with the command:
kubectl edit podsecuritypolicy policyname
(Note: "policyname" is the name of the policy.)
Review the runAsUser, supplementalGroups and fsGroup sections of the policy.
If any of these sections are missing, this is a finding.
If the rule within the runAsUser section is not set to "MustRunAsNonRoot", this is a finding.
If the ranges within the supplementalGroups section has min set to "0" or min is missing, this is a finding.
If the ranges within the fsGroup section has a min set to "0" or the min is missing, this is a finding.