KubernetesOverview
A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context.
Remediation guidance
Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers.
https://workbench.cisecurity.org/sections/1126667/recommendations/1838636
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Kubernetes
Use admission policies, baseline cluster configuration, GitOps templates, and namespace or workload guardrails so new deployments follow the control by default.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Kubernetes Deployments with ContainersTemplates that have permissive security context
Connectors
Kubernetes
Covered asset types
Deployment
Expected check: eq []
{
deployments(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes StatefulSets with ContainersTemplates that have permissive security context
Connectors
Kubernetes
Covered asset types
StatefulSet
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets with ContainersTemplates that have permissive security context
Connectors
Kubernetes
Covered asset types
ReplicaSet
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets with ContainersTemplates that have permissive security context
Connectors
Kubernetes
Covered asset types
DaemonSet
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes Jobs with ContainersTemplates that have permissive security context
Connectors
Kubernetes
Covered asset types
Job
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs with ContainersTemplates that have permissive security context
Connectors
Kubernetes
Covered asset types
CronJob
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
containersTemplates_SOME: {
securityContext: {
OR: [
{ isSeccompProfileSet: false }
{ isSELinuxOptionsSet: false }
{ allowPrivilegeEscalation: true }
{ runAsNonRoot: false }
{ runAsUser_GTE: 1000 }
{ runAsGroup_GTE: 1000 }
{ readOnlyRootFilesystem: false }
{ capabilitiesAdd_INCLUDES: "SYS_ADMIN" }
{ privileged: true }
{
NOT: {
OR: [
{ capabilitiesDrop_INCLUDES: "NET_RAW" }
{ capabilitiesDrop_INCLUDES: "ALL" }
{ capabilitiesDrop_INCLUDES: "all" }
]
}
}
]
}
}
}
}
) {
...AssetFragment
}
}Kubernetes StatefulSets PodTemplates with permissive security context
Connectors
Kubernetes
Covered asset types
StatefulSet
Expected check: eq []
{
statefulSets(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}
Kubernetes ReplicaSets PodTemplates with permissive security context
Connectors
Kubernetes
Covered asset types
ReplicaSet
Expected check: eq []
{
replicaSets(
where: {
deploymentName: ""
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes Deployments PodTemplates with permissive security context
Connectors
Kubernetes
Covered asset types
Deployment
Expected check: eq []
{
deployments(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes DaemonSets PodTemplates with permissive security context
Connectors
Kubernetes
Covered asset types
DaemonSet
Expected check: eq []
{
daemonSets(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}Kubernetes Jobs PodTemplates with permissive security context
Connectors
Kubernetes
Covered asset types
Job
Expected check: eq []
{
jobs(
where: {
cronJobName: ""
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}
Kubernetes CronJobs templates with permissive security context
Connectors
Kubernetes
Covered asset types
CronJob
Expected check: eq []
{
cronJobs(
where: {
podTemplate: {
securityContext: {
OR: [
{ supplementalGroups: [] }
{ isSysctlsContainingElements: false }
{ isSeccompProfileSet: false }
{ isFSGroupChangePolicySet: false }
{ isFSGroupSet: false }
{
NOT: {
OR: [
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "Always"
}
{
isFSGroupChangePolicySet: true
fsGroupChangePolicy_CONTAINS: "OnRootMismatch"
}
]
}
}
{ AND: [{ isFSGroupSet: true }, { fsGroup_LTE: 0 }] }
]
}
}
}
) {
...AssetFragment
}
}
