gke/ERR/2024_001

Checking for no Pod Security Admission violations in the project.

Product: Google Kubernetes Engine
Rule class: ERR - Something that is very likely to be wrong

Description

The rule checks the project for no Pod Security Admission violations.

Verify that there are no PSA violations in any namespace of any cluster in the project. If there are any violations inspect the logs to find what caused the violation and if required adjust the policy or pod manifest.

Use below logging filter to find the logs:

log_id("cloudaudit.googleapis.com/activity")
resource.type="k8s_cluster"
resource.labels.cluster_name="CLUSTER_NAME"
severity=DEFAULT
protoPayload.response.message:"violates PodSecurity"
protoPayload.response.reason="Forbidden"
protoPayload.resourceName="RESOURCE_NAME"

Replace

  • CLUSTER_NAME with the name of the cluster affected
  • RESOURCE_NAME with the pod resource output generated by the rule

Remediation

If the workload is of interest, the fix would be to analyze the violation by inspecting protoPayload.response.message of the log and referring to the Pod Security Standards Profile to make the required corrections in the workload manifest.

Further information

  1. https://cloud.google.com/kubernetes-engine/docs/how-to/podsecurityadmission
  2. https://kubernetes.io/docs/concepts/security/pod-security-admission/