KubernetesOverview
Checks that every namespace enabled restricted pod security admission, or if there are external policies applied for namespaced resources (validating/mutating webhooks) - returns them to be reviewed.
Remediation guidance
Ensure that either Pod Security Admission or an external policy control system is in place for every namespace which contains user workloads.
Impact Statement
Where policy control systems are in place, there is a risk that workloads required for the operation of the cluster may be stopped from running. Care is required when implementing admission control policies to ensure that this does not occur.
Default Value
By default, Pod Security Admission is enabled but no policies are in place.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Kubernetes
Use admission policies, baseline cluster configuration, GitOps templates, and namespace or workload guardrails so new deployments follow the control by default.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Ensure namespace enable restricted pod security admission
Connectors
Covered asset types
Expected check: eq []
{
namespaces(
where: {
tags_NONE: {
key: "pod-security.kubernetes.io/enforce"
value: "restricted"
}
}
) {
...AssetFragment
}
}
