Kubernetes Compliance Dashboard
Overview
This dashboard provides a consolidated view of your compliance across all Kubernetes clusters that are integrated with Lacework.
This includes the following:
- Centralized view of compliant and non-compliant resources and policies across all supported Kubernetes providers.
- Multiple views and filter options to customize the presented data for your regulatory compliance needs.
- Daily assessments of your resources and policies to maintain up-to-date visibility of your changing environment.
To go to the Kubernetes Compliance Dashboard in the Lacework Console, click Compliance > Kubernetes.
Prerequisites
To populate the data viewed in this page, you must configure at least one Compliance integration to a Kubernetes cluster. For more information, see:
Tabs
By default, the Compliance list displays clusters. The available tabs are listed below:
| Tab | Description |
|---|---|
| Clusters | Displays all integrated Kubernetes clusters. |
| Accounts | Displays all integrated cloud accounts. |
| Frameworks | Displays all frameworks such as CIS Benchmark reports. |
| Policies | Displays all compliance policies associated with a Kubernetes framework (both custom and default). |
| Sections | Displays all Lacework Kubernetes Compliance sections (some of these are derived from CIS Benchmark sections, such as Worker Nodes). |
Filters
Use the following methods to refine what is displayed in the compliance list:
All filters - use the search function at the top of the page to find specific text in any of the filters available on the page.
- Any field also provides the same functionality.
Click filters within the dropdowns along the top of the page to make them active. Remove an active filter by clicking on it again or by clicking the Reset option.
You can also click on the tags in the rows of the compliance list to use them as filters.
The available filters change depending on what tab is active:
- Clusters
- Accounts
- Frameworks
- Policies
- Sections
Collection Status
Filter Kubernetes clusters by the level of Compliance data received:
- Full collection - All the necessary Compliance data has been received for these clusters.
- Partial collection - Either Node Collector or Cluster Collector data is not available for these clusters.
- No collection - A Configuration integration may not have been completed for the cloud provider that manages these clusters.
- Unknown Status - Status can not be determined for these clusters.
See Kubernetes Compliance FAQs for more information.
Resource Group
Display compliance results for the selected resource groups.
Cluster Type
Filter the Kubernetes clusters by type (for example: EKS).
Cloud Provider
Display compliance details for Kubernetes clusters from the selected cloud providers (for example: AWS).
Cluster
Display compliance details for the selected Kubernetes clusters.
Account
Display compliance details for Kubernetes clusters in the selected cloud accounts.
Region
Display compliance details for Kubernetes clusters in the selected cloud provider regions (for example: eu-west-1).
Namespace
Filter the Kubernetes clusters by namespace (for example: default).
Severity
Display policy assessments with the selected severities (for example: Critical and High).
Status
Display policy assessments with the selected statuses (for example: Non-compliant).
The Not assessed status applies to all resources when the policy is manual.
For automated policies, either a compliance policy exception has been applied or there was an error during assessment. See Determination of the Could Not Assess status for potential reasons for errors.
Domain
Display policy assessments for Kubernetes clusters in the specified domains.
Date
To change the assessment date, select a custom date from the drop-down or use the horizontal arrows to move to the next/previous day.
Only information found during assessment on the specified date is reported. For example, if a number of resources were only integrated with Lacework yesterday, the total number of resources shown in the report 7 days ago would differ from the number shown in today's report.
Save View
When the page displays your desired compliance data, click Save or Create view in the top right corner. This allows you to access the saved view later.
You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others, so they can see the same view.
For more details about saved views, refer to Views Management.
Searches and sorting cannot be saved in views or copied as links.
Dashboard Charts
The Kubernetes Compliance dashboard contains a number of statistics and charts to help visualize your security posture.
Statistics
The statistics display the total number of Kubernetes clusters analyzed, and the total number of exceptions applied across all Kubernetes Compliance policies.
Policies
The Policies chart displays the total number of Kubernetes Compliance policies and splits them into the following categories:
- Policies that are non-compliant when resources were assessed.
- Policies that are compliant when resources were assessed.
- Policies that have not been assessed due to the following reasons:
- Policies require manual auditing.
- Policies were not assessed due to an error.
- Policies have exceptions applied to them.
Additional statistics are also shown:
- The total number of compliance policies enabled for your environment (including manual policies).
- The percentage of compliant policies versus non-compliant (manual policies are not included in this percentage). All resources associated with the policy need to be assessed as compliant before the policy is deemed compliant.
- The percentage of Severe compliance violations includes both critical and high severity policy violations.
Resources
The Resources chart displays the total number of distinct resources that have been evaluated against all Framework policies and splits them into the following categories:
- Resources that are non-compliant due to failing a policy assessment (or multiple policy assessments).
- Resources that are compliant due to passing policy assessments.
- Resources that have not been assessed due to the following reasons:
- Resources were not assessed due to an error.
- Resources have exceptions applied to them.
Additional statistics are also shown:
- The total number of resources that been discovered through your integrations with Lacework (including those not assessed).
- The percentage of total resources that have failed one or more policy assessments.
How are Resources Counted as Non-compliant?
A resource is non-compliant if it has failed one or more policy assessments.
For example, if a resource is associated with three policy assessments, and one of the policy assessments has failed on that resource, the resource is marked as non-compliant.
Non-compliant policies by severity
This chart splits non-compliant Kubernetes Compliance policies into severity levels of Critical, High, Medium, Low, and Info.
Compliance List Charts
Each row in the Compliance list has a chart (or charts) associated to that policy, account, assessment, cluster, or section. The list displays different chart(s) depending on what tab is selected.
Policies Tab Chart
When the Policies tab is selected, the chart displays the total number of resources linked with that policy and splits them into the following categories:
- Non-compliant - Resources that are non-compliant due to failing the policy assessment.
- Compliant - Resources that are compliant due to passing the policy assessment.
- Not assessed - Resources that have not been assessed due to either errors, exceptions, or when the policy is manual.
Policy Drawer Charts
When clicking on a policy in the Compliance list, the drawer displays the same chart with added statistics:
- Percentage of failed resources associated with the policy.
Additionally, the total number of exceptions applied to the policy is shown (as of the last reported date and time).
Click View exceptions to see details of any exceptions applied to the policy. You can also add new exceptions to the policy here.
Clusters/Accounts/Frameworks/Sections Tab Charts
When the Clusters/Accounts/Frameworks/Sections tab is selected, the chart displays the total number of non-compliant policies for that cluster/account/framework/section and splits them into severity levels of:
- Critical
- High
- Other (Medium, Low, and Info combined)
Additionally, another chart displays the total number of resources linked with the policy and splits them into the following categories:
- Resources that are non-compliant due to failing the policy assessment.
- Resources that are compliant due to passing the policy assessment.
- Resources that have not been assessed due to either errors, exceptions, or when the policy is manual.
Clusters/Accounts/Frameworks/Sections Drawer Charts
When clicking on a cluster/account/framework/section in the Compliance list, the drawer displays the same charts with added statistics:
- Total number of policies associated with the cluster/account/framework/section.
- Percentage of compliant policies associated with the cluster/account/framework/section.
- If a compliance policy exception exists for all associated resources, then the policy is counted as compliant.
- The percentage of High severity compliance violations includes both critical and high severity policy violations associated with the cluster/account/framework/section.
- Percentage of failed resources associated with the cluster/account/framework/section. One or more non-compliant policy assessments for a resource triggers the failed status.
Compliance List
The Compliance list is below the statistics and charts. Each row displays an individual cluster, account, framework, policy, or section depending on what tab is selected.
Available actions:
- Click Refresh data to refresh the table.
- Click Download to download the table in CSV format.
- Use the sort options to adjust how you want the data presented (the options will vary for each tab).
- Click a tag to reload the Compliance list using the tag as the filter.
Clusters Tab
When the Cluster tab is selected, the Sort by options can order the list by:
- Cluster name
- Number of affected policies
- Number of affected resources
Each row displays compliance details on a single Kubernetes cluster.
Cluster Drawer
Click on a cluster row to display detailed results (expand this to full screen by using the < icon).
Underneath the cluster name, the cluster drawer displays the following information:
- When the cluster was last assessed (Updated on).
- The associated tags for this cluster (such as region or account name).
Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found on this cluster).
Available actions:
- Click Refresh to refresh table data.
- Click Download to download the table in CSV format.
- Click Select columns to show/hide the table columns.
- Click Search to filter for specific text in any of the column details.
The table has the following information in each column:
| Column | Description |
|---|---|
| Policy Name | The name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources. |
| Resources | The number of Kubernetes resources that have passed or failed this policy assessment. |
| Assessment | The status of the last policy assessment for all resources on this cluster (for example: Compliant, Non-Compliant, Manual). |
| Severity | The severity level of the policy. |
| Framework (hidden by default) | The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0. |
| Control (hidden by default) | If applicable, the CIS control ID for the policy (for example: 1.2). |
Accounts Tab
When the Accounts tab is selected, the Sort by options can order the list by:
- Account Name
- Number of affected resources
- Number of affected policies
Each row displays compliance details on an individual cloud account.
Account Drawer
Click on an account row to display detailed results (expand this to full screen by using the < icon).
Underneath the account name, the account drawer displays the following information:
- When the account was last assessed (Updated on).
- The associated tags for this policy (such as cluster names or regions).
Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found in this account).
Available actions:
- Click Refresh to refresh table data.
- Click Download to download the table in CSV format.
- Click Select columns to show/hide the table columns.
- Click Search to filter for specific text in any of the column details.
The table has the following information in each column:
| Column | Description |
|---|---|
| Policy Name | The name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources. |
| Resources | The number of Kubernetes resources that have passed or failed this policy assessment. |
| Assessment | The status of the last policy assessment for all resources in this account (for example: Compliant, Non-Compliant, Manual). |
| Severity | The severity level of the policy. |
| Framework (hidden by default) | The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0. |
| Control (hidden by default) | If applicable, the CIS control ID for the policy (for example: 1.2). |
Frameworks Tab
When the Framework tab is selected, the Sort by options can order the list by:
- Framework name
- Number of affected resources
- Number of affected policies
Each row displays compliance details on an individual framework. For example, CIS EKS Benchmark v1.1.0.
Framework Drawer
Click on an assessment row to display detailed results (expand this to full screen by using the < icon).
Underneath the framework name, the framework drawer displays the following information:
- When the framework was last assessed (Updated on).
- The associated tags for this framework (such as regions or account names).
Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found in this assessment report).
Available actions:
- Click Refresh to refresh table data.
- Click Download to download the table in CSV format.
- Click Select columns to show/hide the table columns.
- Click Search to filter for specific text in any of the column details.
The table has the following information in each column:
| Column | Description |
|---|---|
| Policy Name | The name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources. |
| Resources | The number of Kubernetes resources that have passed or failed this policy assessment. |
| Assessment | The status of the last policy assessment for all resources covered in this assessment report (for example: Compliant, Non-Compliant, Manual). |
| Severity | The severity level of the policy. |
| Framework (hidden by default) | The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0. |
| Control (hidden by default) | If applicable, the CIS control ID for the policy (for example: 1.2). |
Policies Tab
When the Policies tab is active, the Sort by options can order the list by:
- Number of affected resources
- Policy title
- Level of severity (of the policy)
Each row displays compliance details of an individual policy that is included in at least one framework. For example, Minimize the admission of privileged containers.
Policy Drawer
Click on a policy row to display detailed results (expand this to full screen by using the < icon).
Underneath the title, the policy drawer displays the following information:
- When the policy assessment was last updated.
- The associated tags for this policy (such as status or severity).
For policies associated with a benchmark control, click View Context (if available) underneath the policy title to see detailed information about the benchmark control.
Underneath the chart, the table displays assessment details for resources associated with the policy.
Available actions:
- Click Refresh to refresh table data.
- Click Download to download the table in CSV format.
- Click Select columns to show/hide the table columns.
- Click Search to filter for specific text in any of the column details.
The table has the following information in each column:
| Column | Description |
|---|---|
| Account (hidden by default) | The cloud account associated with the resource. |
| Node | The hostname of the node. |
| Resource Name | The Kubernetes resource name being assessed under this policy assessment. |
| Resource Type | The type of Kubernetes resource. |
| Namespace (hidden by default) | The namespace that the pod belongs to. Only applicable to policy assessments with a container data source. |
| Pod (hidden by default) | The pod name that the node belongs to. Only applicable to policy assessments with a container data source. |
| Image (hidden by default) | The container image used by the pod. |
| Cluster | The Kubernetes cluster name associated with the resource. |
| Region (hidden by default) | If applicable, the cloud provider region of the resource. |
| Assessment | The status of the last policy assessment for the resource (for example: Compliant, Non-Compliant, Manual). |
Add Kubernetes Compliance Exceptions
- Click View exceptions to see details of any exception defined for this policy.
- Click Add exception and provide the exception criteria.
- Click Save once complete.
Sections Tab
When the Section tab is selected, the Sort by options can order the list by:
- Section
- Number of affected resources
- Number of affected policies
Each row displays compliance details on an individual section.
Section Drawer
Click on a section row to display detailed results (expand this to full screen by using the < icon).
Underneath the section name, the section drawer displays the following information:
- When the section was last assessed (Updated on).
- The associated tags for this section (such as account or cluster names).
Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found in this section).
Available actions:
- Click Refresh to refresh table data.
- Click Download to download the table in CSV format.
- Click Select columns to show/hide the table columns.
- Click Search to filter for specific text in any of the column details.
The table has the following information in each column:
| Column | Description |
|---|---|
| Policy Name | The name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources. |
| Resources | The number of Kubernetes resources that have passed or failed this policy assessment. |
| Assessment | The status of the last policy assessment for all resources in this section (for example: Compliant, Non-Compliant, Manual). |
| Severity | The severity level of the policy. |
| Framework (hidden by default) | The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0. |
| Control (hidden by default) | If applicable, the CIS control ID for the policy (for example: 1.2). |
Determination of the Could Not Assess Status
In order to assess resources for compliance, Lacework must collect data for each resource. Lacework uses the data collection status to determine which policies have a sufficient amount of quality information to be evaluated, even if there is information for only some resources. An issue collecting data could cause the status to be returned as Could not assess.
Some issues that Lacework could encounter when collecting data include the following:
- Transient failures, for example: rate limits and timeouts.
- Incorrect permissions used by the Lacework collector, which were provided for the Cloud Collector integration (for example: AWS cross-account IAM role).
The assess functionality converts a recognition of the many potential problems into the Could not assess result.
Lacework applies the following process to determine if a policy’s status is Could not assess:
- At a resource level:
- If Lacework can determine non-compliance, then the resource is “non-compliant”.
- Else, if Lacework cannot determine non-compliance, and the resource was not successfully fully collected, the resource is Could not assess.
- Else, (Lacework can determine that there is no non-compliance, or sufficient conditions for compliance) the resource is “compliant”.
- Lacework aggregates resource-level compliance observations and determines the aggregate status for the cloud integration as follows:
- Non-compliant if any resources are known to be non-compliant
- Could not assess if no resources are non-compliant, but some resource evaluations were Could not assess
- Compliant if all resources are known to be compliant
The overall goal of Lacework is to never report a resource as compliant if it is not. Policy queries need adequately reliable information to determine non-compliance, and the methodology used is biased towards determining non-compliance, not compliance. It is possible for Lacework to determine a collection to be Could not assess and a policy using that collection in some way to be non-compliant.