Kubernetes policies in DevOps Config

  • Release version: Yokohama
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Kubernetes policies in DevOps Config

    The DevOps Config Policy content pack provides a predefined set of Kubernetes policies to validate your Kubernetes configurations within ServiceNow DevOps. These policies help you ensure security, compliance, and operational best practices in your Kubernetes environments. Although DevOps Config is being prepared for future deprecation starting with the Washington D.C. release, existing policies remain supported and customizable through copies.

    Show full answer Show less

    Key Features

    • Predefined Kubernetes Validation Policies: The content pack includes multiple policies targeting key security and configuration aspects of Kubernetes clusters and pods.
    • Policy Customization: While default policies cannot be modified directly, you can clone and customize copies to fit your organizational needs.
    • Comprehensive Configuration Checks: Policies cover areas such as container privileges, resource limits, authentication settings, admission control, and network security.

    Examples of Important Policies

    • Always Pull Images: Ensures the AlwaysPullImages admission controller plugin is enabled to avoid using stale images.
    • Containers Run as Non-Root User: Validates that containers do not run as root to reduce security risks.
    • Drop Capabilities: Checks that containers have defined dropped capabilities to minimize permissions.
    • CPU and Memory Requests Within Limits: Ensures containers request resources within defined limits to maintain cluster stability.
    • Docker Daemon Socket Exposure: Detects if the Docker socket is exposed, which is a potential security vulnerability.
    • RBAC Wildcard Usage: Prevents use of wildcards in Role-Based Access Control rules to enforce precise access permissions.
    • Privilege Escalation: Confirms containers cannot escalate privileges beyond their parent process.
    • Seccomp Profile: Requires containers to use secure computing mode profiles to restrict dangerous system calls.
    • Kubernetes API Server Security Settings: Includes checks for secure bind addresses, HTTPS usage, private key file specification, and secure port settings.

    Practical Benefits for ServiceNow Customers

    • Enhanced Kubernetes Security: By applying these validations, you reduce risk from misconfigurations and insecure container practices.
    • Compliance Enforcement: Automatically enforce organizational policies and industry best practices in your Kubernetes deployments.
    • Operational Consistency: Standardize Kubernetes configurations across environments to avoid configuration drift and operational issues.
    • Policy Lifecycle Management: Manage and customize policies according to your evolving security and operational requirements.

    By default, the DevOps Config Policy content pack contains a set of policies to validate your Kubernetes configuration.

    Important:
    Starting with the Washington D.C. release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer activated on new instances but will continue to be supported.
    You can use or customize these default DevOps Config policies to validate that your configuration data content is conformable, or administrate the full life cycle of PaCE policies.
    Note:
    You can’t modify the default policies. However, you can make a copy of the policy and customize your copy.
    Table 1. First-letter navigation for policies on this page

    A | B | C | D | I | K | M | N | P | R | S | T

    Always Pull Images Admission Control Plugin Is Enabled (container_always_pull_images_plugin_is_enabled)

    Checks whether the AlwaysPullImages admission controller plugin is enabled for the Kubernetes API server.

    Results into a non-compliant status when the AlwaysPullImages plugin is not specified with the --enable-admission-plugins argument when using the kube-apiserver command.

    Basic Auth File Isn't Set (container_basic_auth_file_is not_set)

    Checks whether the Kubernetes API server is not using the basic user authentication mechanism.

    Results into a non-compliant status when the --basic-auth-file argument is specified for a container when using the kube-apiserver command.

    Bind Address Isn't Set (container_bind_address_not_set_to_localhost)

    Checks whether the bind address of the Kubernetes scheduler or Kubernetes controller manager is not 127.0.0.1.

    Results into a non-compliant status when the --bind-address argument is set to 127.0.0.1 for a container when using the kube-controller-manager or kube-scheduler command.

    Containers Don't Run With Low UID (container_uid_minimum_limit)

    Checks whether the UID of each container within a Kubernetes pod is greater than or equal to the specified minimum UID value.

    Results into a non-compliant status if the UID defined for a container is less than the minimum UID value. If the UID is not defined for a container, the UID of the associated pod is validated.

    Input argument
    min_uid
    • The minimum UID value required for the containers in a pod.
    • Default value: 10000
    • Type: Integer
    • Mandatory: False

    Containers Require Drop Capabilities (container_requires_drop_capabilities)

    Checks whether the drop capabilities are defined for containers within a Kubernetes pod.

    Results into a non-compliant status when the drop capabilities for a container are not defined.

    Containers Run as a Non-Root User (container_run_as_nonroot_user)

    Checks whether the containers within a Kubernetes pod run only as a non-root user to limit the exploitability of security misconfiguration and to restrict an attacker's possibilities in case of compromise.

    Results into a non-compliant status when the runAsNonRoot key for a container is set to false or the user ID (UID) of a container is zero.

    Containers Run Without Privilege Access (container_is_not_privileged)

    Checks whether the containers within a Kubernetes pod are run without privileged access.

    Results into a non-compliant status when the privileged field for a container is set to true.

    Containers Run Without Sys Admin Capability (container_is_without_sys_admin_capability)

    Checks whether the containers within a Kubernetes pod are run without the SYS_ADMIN capability.

    Results into a non-compliant status when the SYS_ADMIN privileges are assigned to a container.

    CPU Requests Are Within Limits (container_cpu_request_within _limits)

    Checks whether the containers within a Kubernetes pod are requesting the central processing unit (CPU) resources within the specified CPU limit.

    Results into a non-compliant status when either the limits.cpu key is not defined or when the value of the requests.cpu key exceeds the value of the limits.cpu key.

    Docker Daemon Socket Isn't Exposed (docker_daemon_socket_not_exposed)

    Checks whether the Docker daemon socket is not exposed to containers.

    Results into a non-compliant status when the hostPath.path key for a volume is set to /var/run/docker.sock.

    Image Pull Policy Is Always (container_imagePullPolicy_is_always)

    Checks whether the imagePullPolicy field for each container within a Kubernetes pod is set to Always.

    Results into a non-compliant status if the imagePullPolicy field is not defined or the Always criterion is not met.

    Insecure Bind Address Isn't Set (container_insecure_bind_address_is_not_set)

    Checks whether the Kubernetes API server does not bind to an insecure address that otherwise could enable attackers to connect to the server over the insecure port and potentially read sensitive data in transit.

    Results into a non-compliant status when the insecure-bind-address argument is specified when using the kube-apiserver command.

    Kubelet HTTPS Is True (container_kubelet_https_is_true)

    Checks whether the connections between the Kubernetes API server and the kubelet use the HTTPS protocol to secure data transfer.

    Results into a non-compliant status when the -kubelet-https argument is set to false when using the kube-apiserver command.

    Memory Requests Are Within Limits (container_memory_request_within _limits)

    Checks whether the containers within a Kubernetes pod are consuming resources within the specified memory limit.

    Results into a non-compliant status when either the limits.memory key is not defined or when the value of the requests.memory key exceeds the value of the limits.memory key.

    No Wildcard in the RBAC Rule (rbac_no_wildcard_in_rule)

    Checks whether the Role and ClusterRole resources are not using wildcards to refer to objects or actions for role-based access control (RBAC) rule.

    Returns into a non-compliant status when the wildcards are used in apiGroups, resources, or verbs for the RBAC rule.

    Privilege Escalation Not Allowed (container_privilege_escalation_not_allowed)

    Checks whether the containers within a Kubernetes pod have less privileges than their parent process.

    Results into a non-compliant status when the allowPrivilegeEscalation key for a container is either set to true or not defined.

    Root Containers Admitted (container_read_only_root_file_system)

    Checks whether the containers within a Kubernetes pod have the root file system set to read only.

    Returns into a non-compliant status when the readOnlyRootFilesystem key for a container is not defined or set to false.

    Seccomp Profile Is Configured (container_seccomp_profile_is_configured )

    Checks whether the containers within a Kubernetes pod are configured with a secure computing mode (seccomp) profile to restrict potentially dangerous system calls (syscalls).

    Results into a non-compliant status when the seccompProfile.type key for a container is either not defined or set to a value other than Localhost or RuntimeDefault.

    Service Account Private Key File Is Specified (container_service_account_private_key_file_is_specified)

    Checks whether the --service-account-private-key-file argument is specified with the kube-controller-manager command for a container.

    Results into a non-compliant status when the --service-account-private-key-file argument is not specified for a container when using the kube-controller-manager command.

    Secure Port Isn't Set to Zero (container_secure_port_not_set_to_zero)

    Checks whether the Kubernetes API server is not using port 0 for the HTTPS authentication and authorization.

    Results into a non-compliant status when the --secure-port argument is set to 0 for a container when using the kube-apiserver command.

    Token Auth File Isn't Set (token_auth_file_is_not_set)

    Checks whether the Kubernetes API server is not using a static token file for user authentication.

    Results into a non-compliant status when the token-auth-file argument is specified when using the kube-apiserver command.