Kaspersky Container Security
1.2
English

Contents

Kubernetes benchmarks reports

In Kaspersky Container Security, you can generate reports based on the results of objects checking for compliance with the Kubernetes benchmarks.

By default, reports are generated for nodes with all statuses - Passed, Warning, and Failed. If you need to generate a report for nodes with a specific scan status, in the Control status section located above the table, click the appropriate status button. Kaspersky Container Security updates the display of the compliance check results, and a report is generated for nodes with the relevant status.

Depending on the level of detail, the reports can be summary reports or detailed reports.

Kubernetes benchmarks summary report

A summary report provides consolidated information on the selected clusters. It lists the names of nodes with the specified compliance check status, as well as the date and time of the last check of each node. The report for all nodes displays information on the number of Kubernetes benchmarks with selected statuses that were detected during object scanning.

Kubernetes benchmark detailed report

A detailed report provides more detailed information about the nodes of the selected cluster or about a specific node of the cluster. It depends on which subsection of the solution you are generating the report from:

  • A detailed report on the nodes of the selected cluster is created from the table with a list of clusters.
  • A report on a node is generated on the page with the detailed description of that node.

For each node in the cluster selected for generating the report, the date and time of the last scan performed, the number of Kubernetes benchmarks with the scan statuses assigned to them, and the benchmarks that were assigned the statuses selected before the report generation are also listed.

Kubernetes benchmarks provide configuration baselines and recommendations for secure configuration of solutions and applications to improve protection against cyberthreats. Hardening is a process that helps protect against unauthorized access, denial of service, and other security events by elimination of potential risks.

Example of Kubernetes benchmarks

After checking nodes for compliance with the Kubernetes benchmarks, Kaspersky Container Security can display recommendations related to security requirements, for example:

  • Control Plane Components
    • Control Plane Node Configuration Files
      • Ensure that the API server pod specification file permissions are set to 644 or more restrictive.
      • Ensure that the API server pod specification file ownership is set to root:root.
    • API Server
      • Ensure that the --anonymous-auth argument is set to false.
      • Ensure that the --token-auth-file parameter is not set.
    • Controller Manager
      • Ensure that the --terminated-pod-gc-threshold argument is set as appropriate.
      • Ensure that the --profiling argument is set to false.
  • etcd
    • Ensure that the --cert-file and --key-file arguments are set as appropriate.
    • Ensure that the --client-cert-auth argument is set to true.
  • Control Plane Configuration
    • Authentication and Authorization
      • Client certificate authentication should not be used for users.
    • Logging
      • Ensure that a minimal audit policy is created.
      • Ensure that the audit policy covers key security concerns.
  • Worker Nodes
    • Worker Node Configuration Files
      • Ensure that the kubelet service file permissions are set to 644 or more restrictive.
      • Ensure that the kubelet service file ownership is set to root:root.
  • Policies.
    • Role-Based Access Control and Accounts
      • Ensure that the cluster-admin role is only used where required.
      • Minimize access to secrets
    • Pod Security Policies
      • Minimize the admission of privileged containers.
    • Network Policies and CNI
      • Ensure that the CNI in use supports Network Policies.
      • Ensure that all namespaces have Network Policies defined.
    • Secrets Management
      • Prefer using secrets as files over secrets as environment variables.
      • Consider external secret storage.

    .

Page top
[Topic 264538]