lacework-global-334
This rule also encompasses lacework-global-664. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
4.1.4 Minimize access to create pods in ClusterRoles (Automated)
This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless using Pod Security Policies to restrict this access).
As such, you should restrict access to create new pods to the smallest possible group of users.
Rationale
The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.
Impact
Care should be taken not to remove access to pods to system components which require this for their operation
Audit
Review the users who have create access to pod objects in the Kubernetes API.
Remediation
Where possible, remove create
access to pod
objects in the cluster.