Kubernetes Security Posture Management (KSPM)

This topic explains how Kubernetes Security Posture Management (KSPM) is handled in Prevasio, providing detailed insights into identifying, analyzing, and remediating misconfigurations, vulnerabilities, and exposed secrets within your Kubernetes clusters.

Introduction

Kubernetes is a critical container orchestration tool used to manage, scale, and deploy containerized applications. With the growing complexity of Kubernetes environments, users face difficulties in maintaining a secure posture, identifying violations, and mitigating vulnerabilities.

Prevasio currently focuses on AWS-managed Kubernetes service, EKS, and Azure-managed Kubernetes service, AKS.

Once onboarded, Prevasio discovers all clusters within each of your AWS accounts and Azure subscriptions across all regions.

Scans are conducted using the Prevasio KSPM scan engine, with an ECS task assigned for each scan. Scanning typically takes a few minutes per cluster, depending on configuration.

Prevasio performs continuous monitoring with a scheduled daily job that runs on the target or client account.

Any changes in cluster configurations, such as added or deleted clusters, and updates to vulnerabilities or misconfigurations are reflected daily, ensuring users always have the latest Kubernetes security posture.

Kubernetes related compliance standards

Prevasio tests across a number of Kubernetes-related compliance standards.

For AWS and Azure

Standard	Description
CIS EKS V1.4.0 (AWS only)	Designed to help you accurately assess the security configuration of your Amazon EKS clusters. Primarily focusing on mainly on nodes/pods configuration. To read more visit CIS Kubernetes Home page
CIS Kubernetes V1.4.0	Provides good practice guidance for unmanaged Kubernetes clusters. This is the most comprehensive benchmark since it is focused on Kubernetes Control Plane as well as Containers and Pods. To read more, visit CIS Kubernetes Home page
CISA/NSA Kubernetes V1.0	Assists administrators in securing their Kubernetes environments effectively. Primarily focusing on containers and Pods. To read more, visit U.S. gov report guide
PSS Kubernetes Baseline	Provides ease of adoption for common containerized workloads while preventing known privilege escalations. To read more visit Kubernetes.io security policy home page
PSS Kubernetes Restricted	Enforces current Pod hardening best practices, at the expense of some compatibility. To read more, visit Kubernetes.io security policy home page

Work with detected Kubernetes cluster risks

Compliance risks, being a key aspect of Prevasio, are prominently integrated throughout Prevasio.

To view detected Kubernetes cluster risks

Do the following:

1. In multi-account view, from the left menu in Prevasio, select Compliance > Detected Risks > KSPM. For example:

   

2. Click an AccountID to open the risks for the selected cloud account. Notice that Prevasio is now in Single-account mode.

   

3. Select the tab of the Kubernetes-related security standard to view detailed risks associated with that standard.

Understanding Non-Compliant Kubernetes Cluster Risks:

Column	Description
Severity	Indicates the level of risk associated with the non-compliant issue.
Non-Compliance	References the specific security standards or regulations that are not being met. Click the requirement to see the specific standard description and remediation steps (if available).
Region	Specifies the cloud geographic region where the non-compliance issue is located.
Resource	Identifies the specific resource that is non-compliant. Click the resource to open its page in the Kubernetes Security section.
Issue	Describes the misconfiguration, vulnerability or exposed secret issue.
Remediation	Suggests actions to be taken to address the issue.
Read more	A link that provides additional information about the non-compliance issue. See View More info.
Action	Contains actionable buttons or links: Suppress (mute) the alert. See Suppressing and unsuppressing alerts. Export the issue as a Jira ticket. See Export an alert to Jira	.

Drill down into a container resource's risks

For Kubernetes clusters

Do the following:

1. In the left hand menu click Compliance > Detected Risks > KSPM. The KSPM Detected Risks page opens.

   

2. Click the resource that you want to investigate further. The page for the selected resource opens

   

3. Review the resource Scan Summary and Resource Details. Within the Resource Details, click the tabs for specific information about misconfigurations, vulnerabilities and exposed secrets.

4. Take necessary action based on the detailed information provided to address the identified risk.

Drill down into a cluster's risks

In multi-account view, the Prevasio Kubernetes Security Dashboard provides a detailed overview of the security status and vulnerabilities associated with your Kubernetes clusters in all your AWS accounts. This dashboard is designed to help you monitor, assess, and manage security risks effectively. The information is organized into several sections, each offering specific insights into different aspects of Kubernetes security:

Section	Description
Kubernetes Scan Summary	Provides an aggregated view of misconfigurations, vulnerabilities, and secrets found during the latest scans. It lists accounts with the number of issues detected and the date and time of the last scan. Click on an Account to view detailed risks associated with its Kubernetes clusters.
Risks per Kubernetes-related compliance standard	Provides a detailed overview of the identified risks associated with various Kubernetes compliance standards. Each card in this section represents a specific compliance standard and displays the total number of risks identified for that standard. Click on a card to open the KSPM Detected Risks page for the selected compliance standard.
Accounts with Clusters	Focuses on accounts that have clusters with vulnerabilities. It includes tabs for different issue types.
Kubernetes Misconfigurations	Presents a summary of misconfigurations detected in your Kubernetes clusters across all acounts. Click on an Account to view detailed risks associated with its Kubernetes clusters.

To Drill down further into an Account's Kubernetes Cluster Risks

The Prevasio Kubernetes Clusters Risks page provides an in-depth analysis of the security status for a specific account's Kubernetes clusters. This page is designed to help you drill down into detailed risk information, allowing for precise management and mitigation of vulnerabilities and misconfigurations.

Section	Description
Kubernetes Scan Summary	Provides an overview of the most recent scan results for the selected Kubernetes cluster. It includes key metrics such as the number of resources scanned, misconfigurations, region, Kubernetes version, last scan date, current state, and status. Click on a Cluster to view detailed risks associated with it.
Compliance standard	compliance test results for various Kubernetes standards, with each card representing a different standard and displaying the percentage of tests passed. Click on a card to open the KSPM Detected Risks page for the selected compliance standard.
Kubernetes Cluster	focuses on vulnerabilities detected within the cluster. It includes a pie chart visualizing the distribution of vulnerabilities by severity and a detailed list of vulnerabilities. You can switch between tabs to view vulnerabilities and exposed secrets.
Security Issues	Provides a summary of all security issues identified within the cluster, categorized by severity levels such as critical, high, medium, low, informational, and suppressed.
Cluster Components	Lists the different components of the Kubernetes cluster, categorized into Node Components, Workload Management, RBAC API Objects, and Service, Load Balancing, Networking. Each category includes specific items with their respective security statuses and issue counts. Click on an component to view detailed risks associated with its Kubernetes clusters.

View More info

Clicking the More Info button will take you to cloud provider website that provides more information about the risk and how to mitigate it.