V-254801—Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.
>Control Description
>Check Content
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and
$grep -i feature-gates * For each manifest file, if the "--feature-gates" setting does not exist, does not contain the "--PodSecurity" flag, or sets the flag to "false", this is a finding. On each Control Plane and Worker Node,$ps -ef | grep kubeletIf the "--feature-gates" option exists, this is a finding. Note the path to the config file (identified by --config). Inspect the content of the config file: If the "featureGates" setting is not present, does not contain the "PodSecurity" flag, or sets the flag to "false", this is a finding.
>Remediation
On the Control Plane, change to the manifests' directory at /etc/kubernetes/manifests and
$grep -i feature-gates * Ensure the argument "--feature-gates=PodSecurity=true" is present in each manifest file. On each Control Plane and Worker Node,$ps -ef | grep kubeletRemove the "--feature-gates" option if present. Note the path to the config file (identified by --config). Edit the Kubernetes Kubelet config file: Add a "featureGates" setting if one does not yet exist. Add the feature gate "PodSecurity=true". Restart the kubelet service
$systemctl daemon-reload && systemctl restart kubelet>CCI References
Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.
>Cross-Framework Mappings
NIST SP 800-53 r5
via DISA CCI ListAsk AI
Configure your API key to use AI features.