Pod security policy enabled remediation

Using Console

Using CLI

To remediate the “Pod Security Policy Should Be Enabled” misconfiguration in GCP, you can follow these step-by-step instructions using GCP CLI:

First, ensure that you have the necessary permissions to create and modify Pod Security Policies in your GCP project.
Open the Google Cloud Console and navigate to the Kubernetes Engine section.
Select the cluster where you want to enable Pod Security Policy.
Click the “Edit” button to edit the cluster configuration.
Scroll down to the “Security” section and click “Enable Pod Security Policy”.
Click “Save” to apply the changes.
Alternatively, you can use the GCP CLI to enable Pod Security Policy for your GCP cluster. Open your terminal or command prompt and run the following command:

gcloud beta container clusters update CLUSTER_NAME --enable-pod-security-policy

Make sure to replace CLUSTER_NAME with the name of your GCP cluster.

Verify that Pod Security Policy has been enabled by running the following command:

gcloud beta container clusters describe CLUSTER_NAME --zone ZONE | grep podSecurityPolicyConfig

Make sure to replace CLUSTER_NAME with the name of your GCP cluster and ZONE with the zone where your cluster is located.If the output shows "podSecurityPolicyConfig": {"enabled": true}, then Pod Security Policy has been successfully enabled for your GCP cluster.

Using Python

To remediate the misconfiguration of Pod Security Policy not being enabled in GCP using Python, follow the below steps:

Install the required Python libraries:

pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-container google-cloud-logging

Authenticate to the GCP project using a service account:

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')

Connect to the Kubernetes cluster using the Kubernetes Python client:

from kubernetes import client, config

config.load_kube_config()
v1 = client.CoreV1Api()

Create a Pod Security Policy object:

psp = {
   "apiVersion": "policy/v1beta1",
   "kind": "PodSecurityPolicy",
   "metadata": {
      "name": "restricted-psp"
   },
   "spec": {
      "privileged": False,
      "allowPrivilegeEscalation": False,
      "requiredDropCapabilities": [
         "ALL"
      ],
      "fsGroup": {
         "rule": "RunAsAny"
      },
      "runAsUser": {
         "rule": "MustRunAsNonRoot"
      },
      "seLinux": {
         "rule": "RunAsAny"
      },
      "supplementalGroups": {
         "rule": "RunAsAny"
      },
      "volumes": [
         "configMap",
         "downwardAPI",
         "emptyDir",
         "persistentVolumeClaim",
         "secret"
      ]
   }
}

Create the Pod Security Policy object in the Kubernetes cluster:

api_instance = client.PolicyV1beta1Api()
api_instance.create_pod_security_policy(psp)

Verify that the Pod Security Policy object was created successfully:

api_response = api_instance.list_pod_security_policy()
for item in api_response.items:
   print(item.metadata.name)

Once the above steps are completed, the Pod Security Policy will be enabled in the GCP Kubernetes cluster, and all pods will be required to adhere to the policy.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Pod security policy enabled remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation