Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-254801	SRG-APP-000342-CTR-000775	CNTR-K8-002001	SV-254801r961359_rule	2025-02-20	2

Description
PodSecurity admission controller is a component that validates and enforces security policies for pods running within a Kubernetes cluster. It is responsible for evaluating the security context and configuration of pods against defined policies. To enable PodSecurity admission controller on Static Pods (kube-apiserver, kube-controller-manager, or kube-schedule), the argument "--feature-gates=PodSecurity=true" must be set. To enable PodSecurity admission controller on Kubelets, the featureGates PodSecurity=true argument must be set. (Note: The PodSecurity feature gate is GA as of v1.25.)

Description

PodSecurity admission controller is a component that validates and enforces security policies for pods running within a Kubernetes cluster. It is responsible for evaluating the security context and configuration of pods against defined policies. To enable PodSecurity admission controller on Static Pods (kube-apiserver, kube-controller-manager, or kube-schedule), the argument "--feature-gates=PodSecurity=true" must be set. To enable PodSecurity admission controller on Kubelets, the featureGates PodSecurity=true argument must be set. (Note: The PodSecurity feature gate is GA as of v1.25.)

ℹ️ Check
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * For each manifest file, if the "--feature-gates" setting does not exist, does not contain the "--PodSecurity" flag, or sets the flag to "false", this is a finding. On each Control Plane and Worker Node, run the command: ps -ef \| grep kubelet If the "--feature-gates" option exists, this is a finding. Note the path to the config file (identified by --config). Inspect the content of the config file: If the "featureGates" setting is not present, does not contain the "PodSecurity" flag, or sets the flag to "false", this is a finding.

ℹ️ Check

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * For each manifest file, if the "--feature-gates" setting does not exist, does not contain the "--PodSecurity" flag, or sets the flag to "false", this is a finding. On each Control Plane and Worker Node, run the command: ps -ef | grep kubelet If the "--feature-gates" option exists, this is a finding. Note the path to the config file (identified by --config). Inspect the content of the config file: If the "featureGates" setting is not present, does not contain the "PodSecurity" flag, or sets the flag to "false", this is a finding.

✔️ Fix
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file. On each Control Plane and Worker Node, run the command: ps -ef \| grep kubelet Remove the "--feature-gates" option if present. Note the path to the config file (identified by --config). Edit the Kubernetes Kubelet config file: Add a "featureGates" setting if one does not yet exist. Add the feature gate "PodSecurity=true". Restart the kubelet service using the following command: systemctl daemon-reload && systemctl restart kubelet

✔️ Fix

On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and run the command: grep -i feature-gates * Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file. On each Control Plane and Worker Node, run the command: ps -ef | grep kubelet Remove the "--feature-gates" option if present. Note the path to the config file (identified by --config). Edit the Kubernetes Kubelet config file: Add a "featureGates" setting if one does not yet exist. Add the feature gate "PodSecurity=true". Restart the kubelet service using the following command: systemctl daemon-reload && systemctl restart kubelet