Kubernetes Posture Management

Qualys K8s Posture Management with the help of Cluster Sensor, supports Policy evaluation based on the CIS Benchmarks offered by various Cloud Providers. You can spot vulnerabilities in your controls, enforce security hardening policies, and maintain ongoing compliance across both hybrid and managed Kubernetes environments. Your data is saved as a Control file. The Cluster Sensor uses this Control file and carries out a scan using CIS compliance.

Container Security > Posture > Kubernetes Posture shows the details of K8s Posture Controls present in your environment.

Currently, Qualys offers more than 200 controls for your K8s posture evaluation.

 

The sections marked in above screenshots are explained below.

1. Quick Filters

This section consists of the following sections.

  • Total Control Count - This tile shows the total number of controls present in your account.
  • POLICY - Gives you a quick overview of the policies used for evaluation and their count.
  • CLUSTER NAME - Indicates the names of the clusters.

2. Dashboard

The section gives you the health of your environment. 

  • TOTAL EVALUATIONS: Indicates the number of policies evaluated as per their status - Pass, Skipped, and Fail.
  • FAILURES BY CRITICALITY: Indicates the number of policy failures based on their criticality.

3. List Section

This section lists all images in your environment along with their details.

Column Description
CID Indicates a unique identifier assigned to a specific security control or check that KSPM tools use to assess the security posture of a Kubernetes environment. It is the ID number of a security control inside your KSPM framework.
 
For example, CID-45237 (CIS GKE Compliance)  - Ensures the master authorized networks is configured on GKE clusters.
CONTROL NAME Indicates the title of the specific policy.
CRITICALITY Indicates the criticality of the scanned K8s clusters in your environment.
SECURITY POSTURE Indicates number of vulnerabilities in your environment.

 

You can click on a control name to see more details about it.

1. Details Section

Name Description
Manual Remediation Provides remediation steps associated with that control.
Criticality Indicates criticality level of the CID.
Evaluation Indicates evaluation result.

 

2. List Section

This section list all resources evaluated against the control. 

Column Description
RESOURCE Indicates resource name present on your cluster.
TYPE Indicates resource type.
Examples: Node, POD, Daemonset and so on.
ACCOUNT ID Indicates account id of your cloud provider.
CLUSTER NAME Indicates name of the cluster against which the policy is evaluated.
EVALUATED ON Indicates the time at which the policy was evaluated.
RESULT Indicates result of the policy evaluation.
Valid values: Pass, Fail
EVIDENCE Shows the evidence of the evaluation.

Supported Cloud Providers and CIS Benchmark Policies

Qualys K8s Posture Management currently supports the following Cloud Providers.

Cloud Provider Qualys K8s Posture Management Support Supported CIS Benchmark Version
Azure Supported CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0, and v1.6.0 (Default)
AWS Supported CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0, and v1.6.0 (Default)
GCP GKE Standard Cluster Supported CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0, and v1.7.0 (Default)
GKE Autopilot Not supported -
Self-managed K8s Supported CIS Kubernetes Benchmark v1.0.1, and v1.10.0 (Default)
Openshift Supported CIS Red Hat Openshift Container Platform V1.7.0
OCI Not supported -