Kubernetes Posture Management
Qualys K8s Posture Management with the help of Cluster Sensor, supports Policy evaluation based on the CIS Benchmarks offered by various Cloud Providers. You can spot vulnerabilities in your controls, enforce security hardening policies, and maintain ongoing compliance across both hybrid and managed Kubernetes environments. Your data is saved as a Control file. The Cluster Sensor uses this Control file and carries out a scan using CIS compliance.
Container Security > Posture > Kubernetes Posture shows the details of K8s Posture Controls present in your environment.
Currently, Qualys offers more than 200 controls for your K8s posture evaluation.
The sections marked in above screenshots are explained below.
1. Quick Filters
This section consists of the following sections.
- Total Control Count - This tile shows the total number of controls present in your account.
- POLICY - Gives you a quick overview of the policies used for evaluation and their count.
- CLUSTER NAME - Indicates the names of the clusters.
2. Dashboard
The section gives you the health of your environment.
- TOTAL EVALUATIONS: Indicates the number of policies evaluated as per their status - Pass, Skipped, and Fail.
- FAILURES BY CRITICALITY: Indicates the number of policy failures based on their criticality.
3. List Section
This section lists all images in your environment along with their details.
| Column | Description |
| CID | Indicates a unique identifier assigned to a specific security control or check that KSPM tools use to assess the security posture of a Kubernetes environment. It is the ID number of a security control inside your KSPM framework. For example, CID-45237 (CIS GKE Compliance) - Ensures the master authorized networks is configured on GKE clusters. |
| CONTROL NAME | Indicates the title of the specific policy. |
| CRITICALITY | Indicates the criticality of the scanned K8s clusters in your environment. |
| SECURITY POSTURE | Indicates number of vulnerabilities in your environment. |
You can click on a control name to see more details about it.
1. Details Section
| Name | Description |
| Manual Remediation | Provides remediation steps associated with that control. |
| Criticality | Indicates criticality level of the CID. |
| Evaluation | Indicates evaluation result. |
2. List Section
This section list all resources evaluated against the control.
| Column | Description |
| RESOURCE | Indicates resource name present on your cluster. |
| TYPE | Indicates resource type. Examples: Node, POD, Daemonset and so on. |
| ACCOUNT ID | Indicates account id of your cloud provider. |
| CLUSTER NAME | Indicates name of the cluster against which the policy is evaluated. |
| EVALUATED ON | Indicates the time at which the policy was evaluated. |
| RESULT | Indicates result of the policy evaluation. Valid values: Pass, Fail |
| EVIDENCE | Shows the evidence of the evaluation. |
Supported Cloud Providers and CIS Benchmark Policies
Qualys K8s Posture Management currently supports the following Cloud Providers.
| Cloud Provider | Qualys K8s Posture Management Support | Supported CIS Benchmark Version | |
| Azure | Supported | CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0, and v1.6.0 (Default) | |
| AWS | Supported | CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0, and v1.6.0 (Default) | |
| GCP | GKE Standard Cluster | Supported | CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0, and v1.7.0 (Default) |
| GKE Autopilot | Not supported | - | |
| Self-managed K8s | Supported | CIS Kubernetes Benchmark v1.0.1, and v1.10.0 (Default) | |
| Openshift | Supported | CIS Red Hat Openshift Container Platform V1.7.0 | |
| OCI | Not supported | - | |