KubernetesOverview
Checks that every namespace enabled restricted pod security admission, or if there are external policies applied for namespaced resources (validating/mutating webhooks) - returns them to be reviewed.
Remediation guidance
Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.
Impact Statement
Where policy control systems are in place, there is a risk that workloads required for the operation of the cluster may be stopped from running. Care is required when implementing admission control policies to ensure that this does not occur.
Default Value
By default, Pod Security Admission is enabled but no policies are in place.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Ensure namespace enable restricted pod security admission
Connectors
Covered asset types
Expected check: eq []
{
namespaces(
where: {
tags_NONE: {
key: "pod-security.kubernetes.io/enforce"
value: "restricted"
}
}
) {
...AssetFragment
}
}
