Kubernetes policies in DevOps Config

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Kubernetes policies in DevOps Config

    The DevOps Config Policy content pack provides a predefined set of Kubernetes policies designed to validate Kubernetes configuration within ServiceNow DevOps environments. These policies help ensure security best practices, resource management, and compliance in Kubernetes clusters by checking various configuration parameters and settings.

    Show full answer Show less

    Note that starting with the Washington D.C. release, DevOps Config will be deprecated and hidden for new instances, though support will continue. The default policies cannot be modified directly but can be copied and customized to suit specific organizational requirements.

    Key Features

    • Security Enforcement: Policies verify security configurations such as running containers as non-root users, dropping unnecessary capabilities, preventing privilege escalation, ensuring read-only root file systems, and configuring seccomp profiles to restrict dangerous system calls.
    • API Server and Component Settings: Checks include ensuring admission control plugins like AlwaysPullImages are enabled, disabling basic authentication files, enforcing secure bind addresses, and verifying HTTPS is used for kubelet communication.
    • Resource Management: Policies validate that CPU and memory requests are within defined limits to promote efficient resource utilization.
    • Access Controls: Role-Based Access Control (RBAC) rules are validated to prevent use of wildcards which could grant excessive permissions.
    • Container Configuration Checks: Includes verifying image pull policies, preventing Docker daemon socket exposure, and ensuring containers do not run with privileged access or SYSADMIN capabilities.

    Practical Application for ServiceNow Customers

    ServiceNow customers can leverage these Kubernetes policies to automate validation and governance of Kubernetes cluster configurations within their DevOps pipelines. By applying these policies, customers can proactively detect misconfigurations that could lead to security vulnerabilities, compliance issues, or resource inefficiencies.

    Since default policies are immutable, customers should create copies of relevant policies and tailor them to their unique environment and compliance requirements. This approach facilitates continuous enforcement of Kubernetes best practices while integrating seamlessly into ServiceNow’s DevOps workflows.

    What to Expect

    • Automated compliance checks of Kubernetes configurations aligned with security and operational best practices.
    • Reduced risk of misconfiguration-related incidents through early detection in the DevOps lifecycle.
    • Ability to customize policy thresholds and checks to better fit organizational policies and standards.
    • Support continuity despite the planned deprecation of DevOps Config in future releases, ensuring current users can maintain their validation processes.

    By default, the DevOps Config Policy content pack contains a set of policies to validate your Kubernetes configuration.

    Important:
    Starting with the Washington D.C. release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer activated on new instances but will continue to be supported.
    You can use or customize these default DevOps Config policies to validate that your configuration data content is conformable, or administrate the full life cycle of PaCE policies.
    Note:
    You can’t modify the default policies. However, you can make a copy of the policy and customize your copy.
    Table 1. First-letter navigation for policies on this page

    A | B | C | D | I | K | M | N | P | R | S | T

    Always Pull Images Admission Control Plugin Is Enabled (container_always_pull_images_plugin_is_enabled)

    Checks whether the AlwaysPullImages admission controller plugin is enabled for the Kubernetes API server.

    Results into a non-compliant status when the AlwaysPullImages plugin is not specified with the --enable-admission-plugins argument when using the kube-apiserver command.

    Basic Auth File Isn't Set (container_basic_auth_file_is not_set)

    Checks whether the Kubernetes API server is not using the basic user authentication mechanism.

    Results into a non-compliant status when the --basic-auth-file argument is specified for a container when using the kube-apiserver command.

    Bind Address Isn't Set (container_bind_address_not_set_to_localhost)

    Checks whether the bind address of the Kubernetes scheduler or Kubernetes controller manager is not 127.0.0.1.

    Results into a non-compliant status when the --bind-address argument is set to 127.0.0.1 for a container when using the kube-controller-manager or kube-scheduler command.

    Containers Don't Run With Low UID (container_uid_minimum_limit)

    Checks whether the UID of each container within a Kubernetes pod is greater than or equal to the specified minimum UID value.

    Results into a non-compliant status if the UID defined for a container is less than the minimum UID value. If the UID is not defined for a container, the UID of the associated pod is validated.

    Input argument
    min_uid
    • The minimum UID value required for the containers in a pod.
    • Default value: 10000
    • Type: Integer
    • Mandatory: False

    Containers Require Drop Capabilities (container_requires_drop_capabilities)

    Checks whether the drop capabilities are defined for containers within a Kubernetes pod.

    Results into a non-compliant status when the drop capabilities for a container are not defined.

    Containers Run as a Non-Root User (container_run_as_nonroot_user)

    Checks whether the containers within a Kubernetes pod run only as a non-root user to limit the exploitability of security misconfiguration and to restrict an attacker's possibilities in case of compromise.

    Results into a non-compliant status when the runAsNonRoot key for a container is set to false or the user ID (UID) of a container is zero.

    Containers Run Without Privilege Access (container_is_not_privileged)

    Checks whether the containers within a Kubernetes pod are run without privileged access.

    Results into a non-compliant status when the privileged field for a container is set to true.

    Containers Run Without Sys Admin Capability (container_is_without_sys_admin_capability)

    Checks whether the containers within a Kubernetes pod are run without the SYS_ADMIN capability.

    Results into a non-compliant status when the SYS_ADMIN privileges are assigned to a container.

    CPU Requests Are Within Limits (container_cpu_request_within _limits)

    Checks whether the containers within a Kubernetes pod are requesting the central processing unit (CPU) resources within the specified CPU limit.

    Results into a non-compliant status when either the limits.cpu key is not defined or when the value of the requests.cpu key exceeds the value of the limits.cpu key.

    Docker Daemon Socket Isn't Exposed (docker_daemon_socket_not_exposed)

    Checks whether the Docker daemon socket is not exposed to containers.

    Results into a non-compliant status when the hostPath.path key for a volume is set to /var/run/docker.sock.

    Image Pull Policy Is Always (container_imagePullPolicy_is_always)

    Checks whether the imagePullPolicy field for each container within a Kubernetes pod is set to Always.

    Results into a non-compliant status if the imagePullPolicy field is not defined or the Always criterion is not met.

    Insecure Bind Address Isn't Set (container_insecure_bind_address_is_not_set)

    Checks whether the Kubernetes API server does not bind to an insecure address that otherwise could enable attackers to connect to the server over the insecure port and potentially read sensitive data in transit.

    Results into a non-compliant status when the insecure-bind-address argument is specified when using the kube-apiserver command.

    Kubelet HTTPS Is True (container_kubelet_https_is_true)

    Checks whether the connections between the Kubernetes API server and the kubelet use the HTTPS protocol to secure data transfer.

    Results into a non-compliant status when the -kubelet-https argument is set to false when using the kube-apiserver command.

    Memory Requests Are Within Limits (container_memory_request_within _limits)

    Checks whether the containers within a Kubernetes pod are consuming resources within the specified memory limit.

    Results into a non-compliant status when either the limits.memory key is not defined or when the value of the requests.memory key exceeds the value of the limits.memory key.

    No Wildcard in the RBAC Rule (rbac_no_wildcard_in_rule)

    Checks whether the Role and ClusterRole resources are not using wildcards to refer to objects or actions for role-based access control (RBAC) rule.

    Returns into a non-compliant status when the wildcards are used in apiGroups, resources, or verbs for the RBAC rule.

    Privilege Escalation Not Allowed (container_privilege_escalation_not_allowed)

    Checks whether the containers within a Kubernetes pod have less privileges than their parent process.

    Results into a non-compliant status when the allowPrivilegeEscalation key for a container is either set to true or not defined.

    Root Containers Admitted (container_read_only_root_file_system)

    Checks whether the containers within a Kubernetes pod have the root file system set to read only.

    Returns into a non-compliant status when the readOnlyRootFilesystem key for a container is not defined or set to false.

    Seccomp Profile Is Configured (container_seccomp_profile_is_configured )

    Checks whether the containers within a Kubernetes pod are configured with a secure computing mode (seccomp) profile to restrict potentially dangerous system calls (syscalls).

    Results into a non-compliant status when the seccompProfile.type key for a container is either not defined or set to a value other than Localhost or RuntimeDefault.

    Service Account Private Key File Is Specified (container_service_account_private_key_file_is_specified)

    Checks whether the --service-account-private-key-file argument is specified with the kube-controller-manager command for a container.

    Results into a non-compliant status when the --service-account-private-key-file argument is not specified for a container when using the kube-controller-manager command.

    Secure Port Isn't Set to Zero (container_secure_port_not_set_to_zero)

    Checks whether the Kubernetes API server is not using port 0 for the HTTPS authentication and authorization.

    Results into a non-compliant status when the --secure-port argument is set to 0 for a container when using the kube-apiserver command.

    Token Auth File Isn't Set (token_auth_file_is_not_set)

    Checks whether the Kubernetes API server is not using a static token file for user authentication.

    Results into a non-compliant status when the token-auth-file argument is specified when using the kube-apiserver command.