Kubernetes policies in DevOps Config

  • Release version: Xanadu
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Kubernetes policies in DevOps Config

    The DevOps Config Policy content pack in ServiceNow provides a predefined set of Kubernetes policies to validate your Kubernetes configurations. These policies help ensure your cluster setup adheres to security best practices and operational standards. Note that starting with the Washington D.C. release, DevOps Config is being prepared for deprecation and will no longer be activated on new instances, but existing support continues.

    Show full answer Show less

    You cannot modify the default policies directly but can create copies to customize them for your environment. These policies enable you to verify compliance of your Kubernetes configurations and manage the lifecycle of PaCE policies.

    Key Features

    • Admission Control and API Server Security: Policies verify if the AlwaysPullImages admission plugin is enabled, prevent insecure bind addresses, and check HTTPS enforcement between API server and kubelet.
    • Authentication and Authorization: Checks ensure static token files and service account private keys are properly set, basic auth files are not used, and RBAC rules avoid wildcards to restrict permissions.
    • Container Security: Validations confirm containers do not run as root or with privileged access, enforce dropping unnecessary capabilities, require read-only root filesystems, and mandate seccomp profiles to limit system calls.
    • Resource Management: Policies ensure CPU and memory requests are within defined limits to prevent resource overconsumption.
    • Configuration Best Practices: Checks include verifying image pull policies are set to Always, Docker daemon sockets are not exposed, and privilege escalation is disallowed.

    What to Expect

    By applying these policies, ServiceNow customers can systematically validate Kubernetes cluster configurations to enhance security, compliance, and operational stability. Non-compliance statuses clearly indicate where configuration adjustments are required to meet recommended standards.

    This suite of policies supports governance across Kubernetes environments, helping reduce risks from misconfigurations and improving overall cluster hygiene in DevOps workflows.

    By default, the DevOps Config Policy content pack contains a set of policies to validate your Kubernetes configuration.

    Important:
    Starting with the Washington D.C. release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer activated on new instances but will continue to be supported.
    You can use or customize these default DevOps Config policies to validate that your configuration data content is conformable, or administrate the full life cycle of PaCE policies.
    Note:
    You can’t modify the default policies. However, you can make a copy of the policy and customize your copy.
    Table 1. First-letter navigation for policies on this page

    A | B | C | D | I | K | M | N | P | R | S | T

    Always Pull Images Admission Control Plugin Is Enabled (container_always_pull_images_plugin_is_enabled)

    Checks whether the AlwaysPullImages admission controller plugin is enabled for the Kubernetes API server.

    Results into a non-compliant status when the AlwaysPullImages plugin is not specified with the --enable-admission-plugins argument when using the kube-apiserver command.

    Basic Auth File Isn't Set (container_basic_auth_file_is not_set)

    Checks whether the Kubernetes API server is not using the basic user authentication mechanism.

    Results into a non-compliant status when the --basic-auth-file argument is specified for a container when using the kube-apiserver command.

    Bind Address Isn't Set (container_bind_address_not_set_to_localhost)

    Checks whether the bind address of the Kubernetes scheduler or Kubernetes controller manager is not 127.0.0.1.

    Results into a non-compliant status when the --bind-address argument is set to 127.0.0.1 for a container when using the kube-controller-manager or kube-scheduler command.

    Containers Don't Run With Low UID (container_uid_minimum_limit)

    Checks whether the UID of each container within a Kubernetes pod is greater than or equal to the specified minimum UID value.

    Results into a non-compliant status if the UID defined for a container is less than the minimum UID value. If the UID is not defined for a container, the UID of the associated pod is validated.

    Input argument
    min_uid
    • The minimum UID value required for the containers in a pod.
    • Default value: 10000
    • Type: Integer
    • Mandatory: False

    Containers Require Drop Capabilities (container_requires_drop_capabilities)

    Checks whether the drop capabilities are defined for containers within a Kubernetes pod.

    Results into a non-compliant status when the drop capabilities for a container are not defined.

    Containers Run as a Non-Root User (container_run_as_nonroot_user)

    Checks whether the containers within a Kubernetes pod run only as a non-root user to limit the exploitability of security misconfiguration and to restrict an attacker's possibilities in case of compromise.

    Results into a non-compliant status when the runAsNonRoot key for a container is set to false or the user ID (UID) of a container is zero.

    Containers Run Without Privilege Access (container_is_not_privileged)

    Checks whether the containers within a Kubernetes pod are run without privileged access.

    Results into a non-compliant status when the privileged field for a container is set to true.

    Containers Run Without Sys Admin Capability (container_is_without_sys_admin_capability)

    Checks whether the containers within a Kubernetes pod are run without the SYS_ADMIN capability.

    Results into a non-compliant status when the SYS_ADMIN privileges are assigned to a container.

    CPU Requests Are Within Limits (container_cpu_request_within _limits)

    Checks whether the containers within a Kubernetes pod are requesting the central processing unit (CPU) resources within the specified CPU limit.

    Results into a non-compliant status when either the limits.cpu key is not defined or when the value of the requests.cpu key exceeds the value of the limits.cpu key.

    Docker Daemon Socket Isn't Exposed (docker_daemon_socket_not_exposed)

    Checks whether the Docker daemon socket is not exposed to containers.

    Results into a non-compliant status when the hostPath.path key for a volume is set to /var/run/docker.sock.

    Image Pull Policy Is Always (container_imagePullPolicy_is_always)

    Checks whether the imagePullPolicy field for each container within a Kubernetes pod is set to Always.

    Results into a non-compliant status if the imagePullPolicy field is not defined or the Always criterion is not met.

    Insecure Bind Address Isn't Set (container_insecure_bind_address_is_not_set)

    Checks whether the Kubernetes API server does not bind to an insecure address that otherwise could enable attackers to connect to the server over the insecure port and potentially read sensitive data in transit.

    Results into a non-compliant status when the insecure-bind-address argument is specified when using the kube-apiserver command.

    Kubelet HTTPS Is True (container_kubelet_https_is_true)

    Checks whether the connections between the Kubernetes API server and the kubelet use the HTTPS protocol to secure data transfer.

    Results into a non-compliant status when the -kubelet-https argument is set to false when using the kube-apiserver command.

    Memory Requests Are Within Limits (container_memory_request_within _limits)

    Checks whether the containers within a Kubernetes pod are consuming resources within the specified memory limit.

    Results into a non-compliant status when either the limits.memory key is not defined or when the value of the requests.memory key exceeds the value of the limits.memory key.

    No Wildcard in the RBAC Rule (rbac_no_wildcard_in_rule)

    Checks whether the Role and ClusterRole resources are not using wildcards to refer to objects or actions for role-based access control (RBAC) rule.

    Returns into a non-compliant status when the wildcards are used in apiGroups, resources, or verbs for the RBAC rule.

    Privilege Escalation Not Allowed (container_privilege_escalation_not_allowed)

    Checks whether the containers within a Kubernetes pod have less privileges than their parent process.

    Results into a non-compliant status when the allowPrivilegeEscalation key for a container is either set to true or not defined.

    Root Containers Admitted (container_read_only_root_file_system)

    Checks whether the containers within a Kubernetes pod have the root file system set to read only.

    Returns into a non-compliant status when the readOnlyRootFilesystem key for a container is not defined or set to false.

    Seccomp Profile Is Configured (container_seccomp_profile_is_configured )

    Checks whether the containers within a Kubernetes pod are configured with a secure computing mode (seccomp) profile to restrict potentially dangerous system calls (syscalls).

    Results into a non-compliant status when the seccompProfile.type key for a container is either not defined or set to a value other than Localhost or RuntimeDefault.

    Service Account Private Key File Is Specified (container_service_account_private_key_file_is_specified)

    Checks whether the --service-account-private-key-file argument is specified with the kube-controller-manager command for a container.

    Results into a non-compliant status when the --service-account-private-key-file argument is not specified for a container when using the kube-controller-manager command.

    Secure Port Isn't Set to Zero (container_secure_port_not_set_to_zero)

    Checks whether the Kubernetes API server is not using port 0 for the HTTPS authentication and authorization.

    Results into a non-compliant status when the --secure-port argument is set to 0 for a container when using the kube-apiserver command.

    Token Auth File Isn't Set (token_auth_file_is_not_set)

    Checks whether the Kubernetes API server is not using a static token file for user authentication.

    Results into a non-compliant status when the token-auth-file argument is specified when using the kube-apiserver command.