Skip to content

Ensure that pods meet defined Pod Security Standards


ID: MS-M9017
MITRE mitigation: -

The Pod Security Standards define three different policies to broadly cover the security spectrum. These policies are cumulative and range from highly-permissive to highly-restrictive. Decoupling policy definition from policy instantiation allows for a common understanding and consistent language of policies across clusters, independent of the underlying enforcement mechanism. At the same time, Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards. Pod security restrictions are applied at the namespace level when pods are created.

Techniques Addressed by Mitigation

ID Name Use
MS-TA9013 Writable hostPath mount Use Baseline or Restricted pod security standards to prevent exploiting writable hostPath mount.
MS-TA9018 Privileged container Restrict privileged containers using pod security standards.