Getting Started

Checks

AWS Checks

Home AWS001 AWS002 AWS003 AWS004 AWS005 AWS006 AWS007 AWS008 AWS009 AWS010 AWS011 AWS012 AWS013 AWS014 AWS015 AWS016 AWS017 AWS018 AWS019 AWS020 AWS021 AWS022 AWS023 AWS024 AWS025 AWS031 AWS032 AWS033 AWS034 AWS035 AWS036 AWS037 AWS038 AWS039 AWS040 AWS041 AWS042 AWS043 AWS044 AWS045 AWS046 AWS047 AWS048 AWS049 AWS050 AWS051 AWS052 AWS053 AWS054 AWS055 AWS057

AZURE Checks

Home AZU001 AZU002 AZU003 AZU004 AZU005 AZU006 AZU007 AZU008 AZU009 AZU010 AZU011 AZU012 AZU013 AZU014 AZU015 AZU016 AZU017 AZU018 AZU019

GENERAL Checks

Home GEN001 GEN002 GEN003

GOOGLE Checks

Home GCP001 GCP002 GCP003 GCP004 GCP005 GCP006 GCP007 GCP008 GCP009 GCP010 GCP011 GCP012

Github Actions

Code Scanning Alerts PR Commenter

GCP009

Pod security policy enforcement not defined.

Explanation

By default, Pods in Kubernetes can operate with capabilities beyond what they require. You should constrain the Pod’s capabilities to only those required for that workload.

Kubernetes offers controls for restricting your Pods to execute with only explicitly granted capabilities.

Pod Security Policy allows you to set smart defaults for your Pods, and enforce controls you want to enable across your fleet.

The policies you define should be specific to the needs of your application

Insecure Example

The following example will fail the GCP009 check.

resource "google_container_cluster" "gke" {
	pod_security_policy_config {
        enabled = "false"
	}
}

Secure Example

The following example will pass the GCP009 check.

resource "google_container_cluster" "gke" {
	pod_security_policy_config {
        enabled = "true"
	}
}

Improve this page