Azure Kubernetes Service – Enhanced Kubernetes cluster pod security baseline standards for Linux-based workloads

This example builds upon existing Pod Security baseline with enhancements, and provides means to manage the initiative as code using GitHub actions. (You can also create manually the initiative, but this guide does not have instructions for manual workflow)

Review the example here https://github.com/jsa2/AKSPodSecurity

Mapping to Azure Policy and specification

The below table highlights healthy, and un-healthy settings examples spec

item	status	YAML
Pods should run as non-root /non-privileged	✔	spec.securityContext privileged: false runAsNonRoot:true allowPrivilegeEscalation: false
Pod Filesystem access should be read-only or limited only for specifed writes	✔	spec.securityContext readOnlyRootFilesystem: true
Pod actions should be limited with appArmor	✔	metadata.annotations container.apparmor.security.beta.kubernetes.io/v5: runtime/default
Pod should be disabled for automation of API credentials	✔	spec automountServiceAccountToken: false
Pod hostPath mounts should only allow predefined mounts, and preferably not used at all (By default Azure Policy audits all hostPath mounts as non compliant, to block hostPath mounts the policy needs to be changed)	✔	spec.Volumes hostPath: <Only allowed values here defined in Azure Policy>
MS direct reference To protect against privilege escalation outside the container, avoid pod access to sensitive host namespaces (host process ID and host IPC) in a Kubernetes cluster.	❌	Should not define use of ’true’ in following settings spec.hostPID hostPID: spec.hostIPC hostIPC:
MS direct reference Pods created with the hostNetwork attribute enabled will share the node’s network space. To avoid compromised container from sniffing network traffic, we recommend not putting your pods on the host network	❌	Should not define use of ’true’ in following settings spec hostNetwork: