Detect real-time malicious behavior in Kubernetes clusters

Learn why CISOs at the fastest growing companies choose Wiz to secure their Kubernetes workloads.

What is KSPM?

Kubernetes Security Posture Management (KSPM) is the practice of monitoring, assessing, and ensuring the security and compliance of Kubernetes environments.

7 minutes read

What is Kubernetes Security Posture Management?

Kubernetes Security Posture Management (KSPM) is the practice of monitoring, assessing, and ensuring the security and compliance of Kubernetes environments, especially in the face of the increasing complexity and scale of Kubernetes deployments.  

Containers are the spine of the Kubernetes ecosystem. Hence, container security is critical to strong KSPM. Researchers with the Shadowserver Foundation have discovered more than 380,000 open Kubernetes API servers exposed on the Internet. That represents 84% of all global Kubernetes API instances observable online. 

The entire Kubernetes infrastructure—APIs, control planes, clusters and containers—benefit from a strong security posture. Consider the below overview of how each component will be configured if KSPM is implemented: 

  • APIs will be configured with bearer tokens that ensure RBAC implementation, securing the transport layer. Node authorization also becomes enforced to authorize API requests from kubelets and only grant read access when all signals are green. 

  • Nodes: NodeRestriction will be implemented to prevent unauthorized kubelet modifications to nodes and pods. NodeRestriction enables kubelets to ONLY modify node and pod API objects with the same credentials as theirs. In cases of attack, NodeRestriction can also restrict workload assignment from the scheduler to compromised nodes to prevent the spread of malware.

  • Due to the centrality of the control plane, it is a principal area of vulnerability in the Kubernetes environment. Its components (i.e., the kube-scheduler, kube-apiserver, kube-controller-manager and etcd) are foundational to the smooth running of the K8s ecosystem. For example, unauthorized access to the etcd—which stores the state of K8S clusters and manages configuration and metadata—equals total control of the entire cluster. Therefore, a strong security posture means restricting node access to the etcd, encrypting data at rest in the etcd, and ensuring secure API server requests to it.

Why KSPM should be a part of your cloud security strategy

Kubernetes is a cloud of its own and can be complex to apprehend, requiring continuous monitoring to ensure visibility into clusters and their configurations, networks, and identities. KSPM helps deconstruct the complexities associated with protecting the K8s infrastructure against three common risks in the table below.

RiskDescription
Misconfiguration risksKubernetes is a complex ecosystem with several components. So, it's easy to misconfigure one or more parts of the ecosystem. For example, you could expose the APIs to the internet without your knowledge and this is a backdoor that attackers could exploit.
Vulnerability risksThe container image and Host OS can only be accessed by local users. Users (with rightly given root access) can modify several writable components of the Kubernetes cluster and kernel memory via these two. If attackers gain access to the container image and Host OS, they can inject malware, predisposing the organizations’ applications to corruption or total deletion.
Access control and identity management risksKubernetes environments involve various roles and users, including developers, operators, and administrators. Without proper access controls and identity management, unauthorized users can gain access to resources, compromising the integrity and security of the cluster. A poorly configured RBAC and a weak or misconfigured authentication mechanism can grant users more privileges than necessary, exposing the Kubernetes API and control plane.

How KSPM works

A KSPM solution should help cover every stage of the development lifecycle

KSPM is not a stand-alone solution, it functions as part of a CNAPP platform to enable full visibility and context into the entire container environment and the underlying cloud. KSPM employs a series of cluster monitoring and assessment steps. Here are the key steps involved:

  • Visibility: The first step in KSPM is to get a complete view of the Kubernetes cluster and its components to gain a real-time understanding of the state of the cluster and its several dependencies. 

Example of a Kubernetes cluster visualization
  • Continuous monitoring: This step involves gathering information about applications'  Kubernetes security posture by automatically scanning the Kubernetes ecosystem and collecting data (e.g. unimplemented or misconfigured access policies, vulnerable container and cluster components, etc.).

  • Risk identification and assessment: KSPM tools then analyze the collected data to look for potential security risks, misconfigurations, and vulnerabilities within the Kubernetes infrastructure by comparing configurations against security best practices.

  • Rules-based analysis: Next, KSPM uses a set of built-in rules to evaluate the collected data. These rules cover various areas, including access management (via RBAC and other authentication mechanisms), network segmentation (used to control inbound and outbound pod-to-pod traffic in the cluster), container security (used to isolate nodes, verify container images, and secure runtimes), and compliance standards like CIS Kubernetes benchmarks. KSPM tools apply these rules to identify deviations or violations from the recommended best practices.

Example of Kubernetes rules-based analysis
  • Alerts and notifications: When the KSPM solution identifies any security risk (e.g. misconfiguration), it alerts the appropriate department. For instance, if sensitive data is contained in the exposed container writable layer, the DevOps team is alerted to quickly  move the data into tamper-proof databases. 

Example security risk alerting the user of a data exfiltration attempt from a S3 bucket originating from an EKS container
  • Visualization and reporting: KSPM provides visualization and reporting tools, including dashboards for end-to-end visibility into Kubernetes and visual representations of cluster components, security metrics, and compliance status. Depending on the industry, organizations must comply with benchmarks guiding the security of pockets (such as Kubernetes clusters) in which data is saved and transmitted. Examples of such benchmarks and frameworks include the CIS benchmark, NIST benchmark, the HIPAA framework, and the PCI-DSS framework. 

Example of a CIS EKS 1.3.0 Benchmark
  • Remediation and recommendations: If any security risks or misconfigurations are found, the KSPM solution will have actionable recommendations for remediation. These may include suggesting changes to RBAC policies, network configurations, or container security controls. Automated remediation will swiftly resolve certain issues or guide developers on necessary rectification protocols.

KSPM vs. CSPM

Kubernetes Security Posture Management and Cloud Security Posture Management (CSPM) are two distinct but equally important concepts in cloud security. KSPM may be considered an aspect of CSPM since Kubernetes is often deployed in the cloud. However, whether KSPM is considered an aspect of CSPM or not, organizations that use Kubernetes for container management need KSPM solutions to secure their Kubernetes infrastructure. 

CSPM aims to secure the entire cloud environment, including various services and resources. It involves managing the security of cloud-native infrastructure, such as virtual machines, databases, storage, and networking components. CSPM offers comprehensive visibility into the cloud environment, identifies misconfigurations and vulnerabilities, provides compliance assessments against industry standards, and offers remediation capabilities specific to the cloud services used.

KSPM, on the other hand, focuses on securing the Kubernetes clusters. It offers practices and tools that help detect and address security risks and vulnerabilities within the Kubernetes infrastructure. KSPM provides visibility into RBAC, workloads, nodes, and the Kubernetes API, making it possible to continuously monitor and assess the security posture. Its features include compliance assessments, defining cluster security policies, custom rules, and remediation capabilities specific to Kubernetes deployments.

Pro tip

There are a number of open-source security tools that organizations can leverage in areas like compliance and configuration scanners, runtime security and threat detection, policy management and enforcement, network security, exploit detection.

Check out our post on the top 11 open-source Kubernetes security tools

What to look for in a KSPM solution

While the individual features of a KSPM solution are important, the value is significantly amplified when that solution operates within the broader context of a CNAPP.  

CNAPP integrates both runtime and posture management for cloud-native applications. Instead of treating security measures as separate concerns, CNAPP provides a holistic view that encompasses both preventive measures and active threat detection. Within this context, KSPM becomes one of the many interconnected pieces.

Once you’ve determined that a KSPM offering is part of a larger CNAPP solution, you can then consider the specific features. The following are key features to consider when choosing a KSPM solution for effective security management and industry compliance. 

1. Continuous monitoring

Example visualization of an overprivileged Kubernetes service account attack path

Opt for a KSPM solution that provides real-time visibility into RBAC configurations, workloads, nodes, and the Kubernetes API, so you can promptly detect and respond to potential security risks. For instance, the solution must be able to check and ensure that APIs are configured with bearer tokens to enable the implementation of RBAC.

2. Compliance assessments

An example of a baseline compliance assessment against Kubernetes Pod Security Standards

Choose a KSPM solution that offers built-in industry security standards and compliance framework checks, such as CIS benchmarks or GDPR, HIPAA, and PCI-DSS regulations. The solution should also provide comprehensive reports and recommendations. For example, to ensure compliance with regulatory standards on data encryption, the chosen KSPM solution must be able to assess and ensure that TLS is enabled whenever an ingress controller is instantiated. 

3. Defining cluster security policies

The ability to define access control, network, and container security policies and tailor them to your specific needs aids the consistency of security policies across your entire Kubernetes infrastructure. You can define policies around preconfigured parameters such as privileges, and system modifications, or edit these parameters to create new need-focused ones.

4. Built-in rules

Look for a solution that offers a wide range of built-in security checks such as authentication and authorization, as well as pod and network security checks, to cover common vulnerabilities and best practices. For example, the KSPM solution must be able to verify and implement appropriate pod security policies for all namespaces in the K8s environment.

5. Remediation

An example of specific remediation guidance for EKS logging misconfiguration

Prioritize KSPM solution that reveals security issues and offers actionable recommendations for remediation. Check for automated or guided remediation features that help you streamline the resolution process and minimize potential security risks.

6. The ability to validate third-party configurations

It’s common to integrate Kubernetes with various third-party tools and services. Choose a KSPM solution that can validate YAML files and resources configurations and assess the security of these integrations before they reach cluster or production. 

A few simple KSPM best practices

To make the most of KSPM, follow these best practices:

  1. Use KSPM as part of a more extensive container security architecture to cover the full lifecycle of containers. 

  2. Perform regular scans of your Kubernetes environment using KSPM.

  3. Keep your KSPM rules and policies up to date to protect against new threats and have access to the latest security features and enhancements.

  4. Categorize risks identified by KSPM scans to prioritize and handle the most critical vulnerabilities.

  5. Use RBAC in KSPM for access control.

  6. Regularly audit cluster configurations to ensure compliance.

  7. Enable real-time monitoring and alerts in KSPM for proactive threat detection.

  8. Conduct vulnerability assessments using KSPM to identify and patch security flaws.

  9. Provide security awareness training to personnel managing the cluster.

Pro tip

Once a build has been approved, Kubernetes environments, container hosts, and clusters 
 should be hardened using Open Policy Agent (OPA)-based configuration rules and Kubernetes admission policies.

Learn more

Does your CNAPP offer KSPM?

Determining whether a KSPM solution is right for your organization requires a careful evaluation of your specific needs. As mentioned earlier, KSPM should be considered as just one piece of a broader CNAPP tool. 

With a CNAPP solution that embeds KSPM, you can achieve: 

  • Holistic Security: By being a part of CNAPP, a Kubernetes security posture management solution can work in synergy with other security tools and mechanisms, providing an integrated security experience.

  • Context-Aware Security: CNAPPs have the advantage of understanding the broader context of cloud-native operations. This means the security decisions and alerts generated are more contextual and less prone to false positives.

  • Uniform Policy Enforcement: A CNAPP platform will detect policy violations, ensuring that the security policies enforced are consistent across the entire cloud-native stack, be it at the container, orchestration, or service mesh layer.

  • Continuous Security: CNAPPs focus on continuous security, ensuring that as applications evolve and as the environment changes, the security measures adapt in real-time.

  • End-to-end Visibility: By ensuring your Kubernetes security solution is part of a CNAPP, you get a comprehensive view of your entire application stack, from code to container to runtime.

  • Ease of Management: A unified platform reduces the complexities associated with managing multiple, disparate security tools. By having Kubernetes security posture as part of CNAPP, you benefit from centralized management, updates, and monitoring.

Kubernetes comes with a lot of small blocks and in each one can be a new security breach. So, we have to step in and use Wiz at a smaller level, to be sure each one of the deployments will still be compliant with the security rules.

Mael Louvet, Cloud Expertise Manager, Bouygues Telecom

Wiz can show you firsthand how an integrated KSPM solution can benefit your Kubernetes environment and improve your organization’s overall security posture. Schedule a personalized demo with Wiz today.

Empower your developers to be more productive, from code to production

Learn why the fastest growing companies choose Wiz to secure containers, Kubernetes, and cloud environments from build-time to real-time.

Get a demo 

Continue reading

What Is Shadow IT? Causes, Risks, and Examples

Wiz Experts Team

Shadow IT is an employee’s unauthorized use of IT services, applications, and resources that aren’t controlled by—or visible to—an organization’s IT department.

What is API Security?

API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.

What is Data Classification?

Wiz Experts Team

In this post, we’ll explore some of the challenges that can complicate cloud data classification, along with the benefits that come with this crucial step—and how a DSPM tool can help make the entire process much simpler.