KubeCon EUBooth 1151, Amsterdam. March 23-26
Security Operator

Compliance Reporting

CIS, NSA, and Pod Security Standards compliance reporting with the DevZero Security Operator.

Compliance Reporting

The Security Operator generates compliance reports against industry-standard benchmarks on a configurable schedule.

Supported Frameworks

CIS Kubernetes Benchmark

The Center for Internet Security Kubernetes Benchmark covers:

  • Control plane configuration
  • etcd security
  • Kubelet configuration
  • Network policies
  • Pod security
  • RBAC authorization

NSA Kubernetes Hardening Guide

The National Security Agency hardening guide covers:

  • Pod security
  • Network separation and hardening
  • Authentication and authorization
  • Audit logging and threat detection
  • Upgrading and application security

Pod Security Standards (PSS)

Kubernetes-native pod security levels:

  • Baseline -- prevents known privilege escalations
  • Restricted -- enforces current pod hardening best practices

Viewing Compliance Reports

# List all compliance reports
kubectl get clustercompliancereport -n dakr-security-system

# View specific report
kubectl get clustercompliancereport <name> -n dakr-security-system -o yaml

Each report includes:

  • Overall compliance percentage
  • List of passing and failing controls
  • Specific resources that fail each control
  • Remediation guidance for failed controls

Scheduling

Compliance reports are generated on a cron schedule:

# Default: every 6 hours
--set compliance.cron="0 */6 * * *"

# Daily at midnight
--set compliance.cron="0 0 * * *"

# Weekly on Sunday
--set compliance.cron="0 0 * * 0"

RBAC Assessment

The RBAC assessment scanner analyzes cluster roles and bindings for:

  • Over-permissive roles (wildcard verbs or resources)
  • Roles that grant cluster-admin equivalent access
  • Service accounts with excessive permissions
  • Unused roles and bindings
# View RBAC assessment reports
kubectl get rbacassessmentreports -A

Infrastructure Assessment

Node-level security scanning checks:

  • Kernel parameters and security modules
  • File permissions on critical paths
  • Running services and open ports
  • Container runtime configuration
# View infrastructure assessment reports
kubectl get infraassessmentreports -A

Vulnerability Scanning

How the DevZero Security Operator scans container images for known CVEs and generates vulnerability reports.

Configuration

Configure the dakr-security operator to scan your Kubernetes clusters for vulnerabilities and compliance issues.

On this page

Compliance Reporting
Supported Frameworks
CIS Kubernetes Benchmark
NSA Kubernetes Hardening Guide
Pod Security Standards (PSS)
Viewing Compliance Reports
Scheduling
RBAC Assessment
Infrastructure Assessment