Elastic Docs Elastic Security Solution [8.13] Cloud native security
« Frequently asked questions (FAQ) Get started with KSPM »

Kubernetes security posture managementedit

Overviewedit

The Kubernetes Security Posture Management (KSPM) integration allows you to identify configuration risks in the various components that make up your Kubernetes cluster. It does this by evaluating your Kubernetes clusters against secure configuration guidelines defined by the Center for Internet Security (CIS) and generating findings with step-by-step instructions for remediating potential security risks.

This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setup instructions, refer to Get started with KSPM.

Requirements

How KSPM worksedit

  1. When you add a KSPM integration, it generates a Kubernetes manifest. When applied to a cluster, the manifest deploys an Elastic Agent as a DaemonSet to ensure all nodes are evaluated.
  2. Upon deployment, the integration immediately assesses the security posture of your Kubernetes resources. The evaluation process repeats every four hours.
  3. After each evaluation, the integration sends findings to Elasticsearch. Findings appear on the Cloud Security Posture dashboard and the findings page.

Use casesedit

The KSPM integration helps you to:

  • Identify and remediate failed findings
  • Identify the most misconfigured resources
  • Identify risks in particular CIS benchmark sections

Identify and remediate failed findingsedit

To identify and remediate failed failed findings:

  1. Go to the Cloud Security Posture dashboard.
  2. Click View all failed findings, either for an individual cluster or for all monitored clusters.
  3. Click a failed finding. The findings flyout opens.

  4. Follow the steps under Remediation to correct the misconfiguration.

    Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution.

Identify the most misconfigured Kubernetes resourcesedit

To identify the Kubernetes resources generating the most failed findings:

  1. Go to the Findings page.
  2. Click the Group by menu near the search box and select Resource to view a list of resources sorted by their total number of failed findings.
  3. Click a resource ID to view the findings associated with that resource.

Identify configuration risks by CIS sectionedit

To identify risks in particular CIS sections:

  1. Go to the Cloud Security Posture dashboard (Dashboards → Cloud Security Posture).
  2. In the Failed findings by CIS section widget, click the name of a CIS section to view all failed findings for that section.

Alternatively:

  1. Go to the Findings page.
  2. Filter by the rule.section field. For example, search for rule.section : API Server to view findings for benchmark rules in the API Server category.
« Frequently asked questions (FAQ) Get started with KSPM »