GCP Kubernetes Engine Clusters Have Pod Security Policy Disabled

This policy identifies Kubernetes Engine Clusters which have pod security policy disabled. The Pod Security Policy defines a set of conditions that pods must meet to be accepted by the cluster; when a request to create or update a pod does not meet the conditions in the pod security policy, that request is rejected and an error is returned.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters have pod security policy disabled.
JSON Query:
$.resource[*].google_container_cluster.*[*].*.pod_security_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.pod_security_policy_config.enabled anyFalse
Recommendation:
Recommended solution to enable pod security policy for Kubernetes Engine Clusters.
Ensure that GCP Kubernetes Engine Clusters have pod security policy enabled. Please make sure that the template has "pod_security_policy_config" enabled.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "pod_security_policy_config": { "enabled" : true }, "initial_node_count": 3, "location": "us-central1-a", "name": "marcellus-wallace" } ] } ]

Run Rule Recommendation

Presently Pod Security Policy can be enabled on Kubernetes Engine Clusters using command line interface only.
To enable Pod Security Policy for an existing cluster, run the following command:.
gcloud beta container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] --enable-pod-security-policy.

Compliance

There are 4 standards that are applicable to this policy:
  • ISO 27001:2013
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • CCPA 2018

Recommended For You