- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Kubernetes security posture management
editKubernetes security posture management
editOverview
editThe Kubernetes Security Posture Management (KSPM) integration allows you to identify configuration risks in the various components that make up your Kubernetes cluster. It does this by evaluating your Kubernetes clusters against secure configuration guidelines defined by the Center for Internet Security (CIS) and generating findings with step-by-step instructions for remediating potential security risks.
This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setup instructions, refer to Get started with KSPM.
Requirements
-
KSPM only works in the
DefaultKibana space. Installing the KSPM integration on a different Kibana space will not work. - KSPM is not supported on EKS clusters in AWS GovCloud (request support).
- To view posture data, ensure you have the appropriate user role to read the following Elasticsearch indices:
-
logs-cloud_security_posture.findings_latest-* -
logs-cloud_security_posture.scores-* -
logs-cloud_security_posture.findings
How KSPM works
edit- When you add a KSPM integration, it generates a Kubernetes manifest. When applied to a cluster, the manifest deploys an Elastic Agent as a DaemonSet to ensure all nodes are evaluated.
- Upon deployment, the integration immediately assesses the security posture of your Kubernetes resources. The evaluation process repeats every four hours.
- After each evaluation, the integration sends findings to Elasticsearch. Findings appear on the Cloud Security Posture dashboard and the findings page.
Use cases
editThe KSPM integration helps you to:
-
Identify and remediate
failedfindings - Identify the most misconfigured resources
- Identify risks in particular CIS benchmark sections
Identify and remediate failed findings
editTo identify and remediate failed failed findings:
- Go to the Cloud Security Posture dashboard.
- Click View all failed findings, either for an individual cluster or for all monitored clusters.
- Click a failed finding. The findings flyout opens.
-
Follow the steps under Remediation to correct the misconfiguration.
Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution.
Identify the most misconfigured Kubernetes resources
editTo identify the Kubernetes resources generating the most failed findings:
- Go to the Findings page.
- Click the Group by menu near the search box and select Resource to view a list of resources sorted by their total number of failed findings.
- Click a resource ID to view the findings associated with that resource.
Identify configuration risks by CIS section
editTo identify risks in particular CIS sections:
- Go to the Cloud Security Posture dashboard.
- In the Failed findings by CIS section widget, click the name of a CIS section to view all failed findings for that section.
Alternatively:
- Go to the Findings page.
-
Filter by the
rule.sectionfield. For example, search forrule.section : API Serverto view findings for benchmark rules in the API Server category.
On this page
Was this helpful?
Thank you for your feedback.