Kubernetes Security Posture Management (KSPM) for Cloud Security Management (CSM) helps you proactively strengthen the security posture of your Kubernetes deployments by benchmarking your environment against established industry best practices, such as those defined by CIS, or your own custom detection policies.

Setting up KSPM

To take full advantage of KSPM, you must install both the Datadog Agent and cloud integrations. For detailed instructions, see the following articles:

This allows Datadog to detect risks in your Kubernetes deployments for each of the following resource types:

Resource TypeInstall MethodFramework
aws_eks_clustercloud integrationcis-eks
aws_eks_worker_nodeAgentcis-eks
azure_aks_clustercloud integrationcis-aks
azure_aks_worker_nodeAgentcis-aks
kubernetes_master_nodeAgentcis-kubernetes
kubernetes_worker_nodeAgentcis-kubernetes

Monitor risk across Kubernetes deployments

With KSPM, Datadog scans your environment for risks defined by more than 50+ out-of-the-box Kubernetes detection rules. When at least one case defined in a rule is matched over a given period of time, a notification alert is sent, and a finding is generated in the Misconfigurations Explorer.

Each finding contains the context you need to identify the issue’s impact, such as the full resource configuration, resource-level tags, and a map of the resource’s relationships with other components of your infrastructure. After you understand the problem and its impact, you can start remediating the issue by creating a Jira ticket from within CSM or by executing a pre-defined workflow.

Note: You can also use the API to programmatically interact with findings.

The details panel for a high severity finding for the EKS Cluster should have public access limited rule

Assess your Kubernetes security posture against industry-standard frameworks

CSM provides a security posture score that helps you understand your security and compliance status using a single metric. The score represents the percentage of your environment that satisfies all of your active out-of-the-box cloud and infrastructure detection rules. You can obtain the score for your entire organization, or for specific teams, accounts, and environments, including Kubernetes deployments.

For an in-depth explanation on how the security posture score works, see Security posture score.

View security posture score for Kubernetes deployments

To view the security posture score for your Kubernetes deployments, navigate to the Security > Compliance page and locate the CIS Kubernetes frameworks reports.

View detailed reports for Kubernetes frameworks

To view a detailed report that gives you insight into how you score against the framework’s requirements and rules, click Framework Overview. On the framework page, you can download a copy of the report as a PDF or export it as a CSV.

The CIS Kubernetes compliance report page showing an overall posture score of 64 percent

Create your own Kubernetes detection rules

In addition to the out-of-the-box detection rules, you can also create your own Kubernetes detection rules by cloning an existing rule or creating a new one from scratch. Rules are written in the Rego policy language, a flexible Python-like language that serves as the industry standard for detection rules. For more information, see Writing Custom Rules with Rego.

After you create the detection rule, you can customize its severity (Critical, High, Medium, Low, or Info) and set alerts for real-time notifications to notify you when a new finding is detected.

Further reading

PREVIEWING: safchain/fix-custom-agent