Skip to main content

Kubernetes Compliance Dashboard

BETA FEATURE

This article describes functionality that is currently in beta.

Overview

This dashboard provides a consolidated view of your compliance across all Kubernetes clusters that are integrated with Lacework.

To go to the Kubernetes Compliance Dashboard in the Lacework Console, click Compliance > Kubernetes.

console-k8s-compliance-dashboard-oct2022.png

To populate the data viewed in this page, you must configure at least one integration to a Kubernetes cluster. For more information, see Kubernetes.

Groups

By default, the Compliance list displays policies. Change what group the list displays by selecting a different Group by option from the drop-down:

GroupDescription
AccountDisplays all integrated cloud accounts.
AssessmentDisplays all assessments such as CIS Benchmark reports in the Compliance list.
ClusterDisplays all integrated Kubernetes clusters.
PolicyDisplays all policies in the Compliance list (both custom and default).
SectionDisplays all Lacework Kubernetes Compliance sections (some of these are derived from CIS Benchmark sections, such as Worker Nodes).

Filters

Use the following methods to refine what is displayed in the compliance list:

  • All filters - use the search function at the top of the page to find specific text in any of the filters available on the page.

  • Click filters within the dropdowns along the top of the page to make them active. Remove an active filter by clicking on it again or by clicking the Reset option.

    You can also click on the tags in the table list to use them as filters.

The available filters change depending on what Group by option you have selected:

FilterGroupsDescription
SeverityGroup by PolicyDisplay policy assessments with the specified severity (for example: Critical).
StatusGroup by PolicyDisplay policy assessments with the specified status (for example: Non-compliant).

NOTE: Suppressed is when a policy has an exception applied to it.
Cloud ProviderAllDisplay compliance details for Kubernetes clusters from a specified provider: AWS, Azure, or GCP.
DomainGroup by PolicyDisplay policy assessments for Kubernetes clusters in the specified domains.
ClusterGroup by AccountDisplay compliance details for the specified Kubernetes cluster names.
Group by Assessment
Group by Policy
Group by Section
Cluster TypeGroup by ClusterFilter the Kubernetes clusters displayed by type (for example: EKS).
Cluster StatusGroup by ClusterFilter Kubernetes clusters by the level of Compliance data received:

Full collection - All the necessary Compliance data has been received for the cluster.

Partial collection - Either Node Collector or Cluster Collector data is not available for the cluster.

See Lacework for Kubernetes Compliance - FAQs for more information.
RegionGroup by AccountDisplay compliance details for Kubernetes clusters in the specified cloud provider regions (for example: eu-west-1).
Group by Assessment
Group by Cluster
Group by Section
AccountGroup by AssessmentDisplay compliance details for Kubernetes clusters in a specified integrated cloud account (for example: 123456789101).
Group by Cluster
Group by Section
NamespaceGroup by ClusterFilter the Kubernetes clusters displayed by namespace (for example: default).

Date

To change the assessment date, select a custom date from the drop-down or use the horizontal arrows to move to the next/previous day.

Only information found during assessment on the specified date is reported. For example, if a number of resources were only integrated with Lacework yesterday, the total number of resources shown in the report 7 days ago would differ from the number shown in today's report.

Charts

Dashboard Charts

The Kubernetes Compliance dashboard contains a number of statistics and charts to help visualize your security posture.

important

All charts and statistics actively update to the group, search, and/or filters that you apply to the page.

Statistics

The statistics display the total number of Kubernetes clusters analyzed, and the total number of exceptions applied across all Kubernetes Compliance policies.

console-kubernetes-compliance-statistics.png

Policies

The Policies chart displays the total number of Kubernetes Compliance policies and splits them into the following categories:

  • Policies that are non-compliant when integrated resources were assessed.
  • Policies that are compliant when integrated resources were assessed.
  • Policies that have not been assessed due to the following reasons:
    • Policies require manual auditing.
    • Policies were not assessed due to an error.
    • Policies have exceptions applied to them.

It also displays what percentage of the total number of policies are compliant.

The High severity compliance violations statistic displays the percentage of critical and high severity policies that are non-compliant. This percentage is based off of the total number of policies.

cloud-dashboard-chart-policies.png

Resources

The Resources chart displays the total number of Kubernetes resources and splits them into the following categories:

  • Resources that are non-compliant due to failing a policy assessment (or multiple policy assessments).
  • Resources that are compliant due to passing policy assessments.
  • Resources that have not been assessed due to the following reasons:
    • Resources were not assessed due to an error.
    • Resources have exceptions applied to them.

It also displays what percentage of the total number of resources have failed one or more policy assesssments.

cloud-dashboard-chart-resources.png

Non-compliant policies by severity

This chart splits non-compliant Kubernetes Compliance policies into severity levels of Critical, High, Medium, Low, and Info.

cloud-dashboard-chart-non-compliant-policies-severity.png

Hover over any of the bars to get the exact number of non-compliant policies for that severity.

cloud-dashboard-chart-non-compliant-policies-number.png

Compliance List Charts

Each row in the Compliance list has a chart (or charts) associated to that policy, account, assessment, cluster, or section. The list displays different chart(s) depending on what group is selected.

Group by Policy Chart

When Group by Policy is selected, the chart displays the total number of resources linked with that policy and splits them into the following categories:

  • Fail - Resources that are non-compliant due to failing the policy assessment.
  • Pass - Resources that are compliant due to passing the policy assessment.
  • Not assessed - Resources that have not been assessed due to errors or exceptions.

cloud-dashboard-chart-groupbypolicy.png

Policy Drawer Chart

When clicking on a policy in the Compliance list, the drawer displays the same chart with added statistics:

  • Number of resources not assessed due to an error.
  • Number of resources not assessed due to an exception.

k8s-drawer-chart-groupbypolicy.png

Group by Account/Assessment/Cluster/Section Charts

When Group by Account/Assessment/Cluster/Section is selected, the chart displays the total number of non-compliant policies for that assessment/service/account and splits them into severity levels of Critical, High, or Other (being Medium, Low, and Info combined).

cloud-dashboard-chart-groupbyassessment-non-compliant-policies.png

Additionally, another chart displays the total number of resources linked with the policy and splits them into the following categories:

  • Resources that are non-compliant due to failing the policy assessment.
  • Resources that are compliant due to passing the policy assessment.
  • Resources that have not been assessed due to errors or exceptions.

cloud-dashboard-chart-groupbyassessment-non-compliant-resources.png

Account/Assessment/Cluster/Section Drawer Charts

When clicking on an account/assessment/cluster/section in the Compliance list, the drawer displays the same charts with added statistics:

  • Total number of policies associated with the account/assessment/cluster/section.
  • Total number of resources associated with the account/assessment/cluster/section.
  • Percentage of resources that have failed one or more policy assessments.

k8s-drawer-chart-groupbysection.png

Compliance List

The Compliance list is below the statistics and charts. Each row displays an individual policy, account, assessment, cluster, or section depending on what group is selected.

Use the icons show below to Refresh data and Download the table as a csv file:
console-k8s-compliance-list-options.png

Click a tag link to reload the Compliance list with the tag as the filter. You can also search through remaining tags by clicking +N more (if it is available):
k8s-compliance-list-searchtags.png

Group by Policy

When Group by Policy is selected, the Sort by options can order the list by:

  • Policy Name
  • Number of affected resources
  • Level of Severity

Each row displays compliance details on an individual policy. For example, Minimize the admission of privileged containers.

Policy Drawer

Click on a policy row to display detailed results (expand this to full screen by using the < icon).

tip

For policies associated with a benchmark rule, click View Context (if available) underneath the policy title to see detailed information about the benchmark rule.

The policy drawer shows the most relevant tags (underneath the title) associated with the policy. The latest assessment time is also shown underneath the policy title.

Underneath the chart, the table displays assessment details for resources associated with the policy.

k8s-drawer-groupbypolicy-table-options.png
Click on the icons to refresh table data, download the table as a csv file, select columns, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Account (hidden by default)The cloud account associated with the resource.
Resource NameThe Kubernetes resource name being assessed under this policy assessment.
Resource TypeThe type of Kubernetes resource.
ClusterThe Kubernetes cluster name associated with the resource.
Region (hidden by default)If applicable, the cloud provider region of the resource.
AssessmentThe status of the last policy assessment for the resource (for example: Compliant, Non-Compliant, Manual).

Group by Account

When Group by Account is selected, the Sort by options can order the list by:

  • Account Name
  • Number of affected resources
  • Number of affected policies

Each row displays compliance details on an individual cloud account.

Account Drawer

Click on an account row to display detailed results (expand this to full screen by using the < icon).

The account drawer shows the most relevant tags (underneath the title) associated with the account (such as cluster names). The latest assessment time is also shown underneath the account name.

Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found in this account).

k8s-drawer-groupbypolicy-table-options.png
Click on the icons to refresh table data, download the table as a csv file, select columns, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Policy NameThe name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources.
ResourcesThe number of Kubernetes resources that have passed or failed this policy assessment.
AssessmentThe status of the last policy assessment for all resources in this account (for example: Compliant, Non-Compliant, Manual).
SeverityThe severity level of the policy.
Framework (hidden by default)The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0.
Control (hidden by default)If applicable, the CIS control ID for the policy (for example: 1.2).

Group by Assessment

When Group by Assessment is selected, the Sort by options can order the list by:

  • Assessment
  • Number of affected resources
  • Number of affected policies

Each row displays compliance details on an individual assessment report. For example, CIS EKS Benchmark v1.1.0.

Assessment Drawer

Click on an assessment row to display detailed results (expand this to full screen by using the < icon).

The assessment drawer shows the most relevant tags (underneath the title) associated with the assessment (such as regions). The latest assessment time is also shown underneath the assessment report name.

Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found in this assessment report).

k8s-drawer-groupbypolicy-table-options.png
Click on the icons to refresh table data, download the table as a csv file, select columns, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Policy NameThe name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources.
ResourcesThe number of Kubernetes resources that have passed or failed this policy assessment.
AssessmentThe status of the last policy assessment for all resources covered in this assessment report (for example: Compliant, Non-Compliant, Manual).
SeverityThe severity level of the policy.
Framework (hidden by default)The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0.
Control (hidden by default)If applicable, the CIS control ID for the policy (for example: 1.2).

Group by Cluster

When Group by Cluster is selected, the Sort by options can order the list by:

  • Cluster Name
  • Number of affected policies
  • Number of affected resources

Each row displays compliance details on an individual Kubernetes cluster.

Cluster Drawer

Click on a cluster row to display detailed results (expand this to full screen by using the < icon).

The cluster drawer shows the most relevant tags (underneath the title) associated with the cluster (such as account IDs). The latest assessment time is also shown underneath the cluster name.

Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found on this cluster).

k8s-drawer-groupbypolicy-table-options.png
Click on the icons to refresh table data, download the table as a csv file, select columns, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Policy NameThe name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources.
ResourcesThe number of Kubernetes resources that have passed or failed this policy assessment.
AssessmentThe status of the last policy assessment for all resources on this cluster (for example: Compliant, Non-Compliant, Manual).
SeverityThe severity level of the policy.
Framework (hidden by default)The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0.
Control (hidden by default)If applicable, the CIS control ID for the policy (for example: 1.2).

Group by Section

When Group by Section is selected, the Sort by options can order the list by:

  • Section
  • Number of affected resources
  • Number of affected policies

Each row displays compliance details on an individual section.

Section Drawer

Click on a section row to display detailed results (expand this to full screen by using the < icon).

The section drawer shows the most relevant tags (underneath the title) associated with the section (such as cluster names). The latest assessment time is also shown underneath the section name.

Underneath the chart, the table displays the number of resources that have passed or failed a particular policy assessment (found in this section).

k8s-drawer-groupbypolicy-table-options.png
Click on the icons to refresh table data, download the table as a csv file, select columns, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Policy NameThe name of the policy. Click on the policy name to view the policy assessment with details on the failed (or compliant) resources.
ResourcesThe number of Kubernetes resources that have passed or failed this policy assessment.
AssessmentThe status of the last policy assessment for all resources in this section (for example: Compliant, Non-Compliant, Manual).
SeverityThe severity level of the policy.
Framework (hidden by default)The report framework that the policy falls under. For example, if it is a CIS Amazon EKS 1.1.0 policy, the framework would be cis-eks-1-1-0.
Control (hidden by default)If applicable, the CIS control ID for the policy (for example: 1.2).

Determination of the Could Not Assess Status

In order to assess resources for compliance, Lacework must collect data for each resource. Lacework uses the data collection status to determine which policies have a sufficient amount of quality information to be evaluated, even if there is only information for some of the resources. An issue collecting data could cause the status to be returned as Could not assess.

Some issues that Lacework could encounter when collecting data include the following:

  • Transient failures, for example: rate limits and timeouts.
  • Incorrect permissions used by the Lacework collector.

The assessability functionality converts a recognition of the many potential problems into the Could not assess result.

Lacework applies the following process to determine if a policy’s status is Could not assess:

  1. At a resource level:
    1. If Lacework can determine non-compliance, then the resource is “non-compliant”.
    2. Else, if Lacework cannot determine non-compliance, and the resource was not successfully fully collected, the resource is Could not assess.
    3. Else, (Lacework can determine that there is no non-compliance, or sufficient conditions for compliance) the resource is “compliant”.
  2. Lacework aggregates resource-level compliance observations and determines the aggregate status for the cloud integration as follows:
    • Non-compliant if any resources are known to be non-compliant
    • Could not assess if no resources are non-compliant, but some resource evaluations were Could not assess
    • Compliant if all resources are known to be compliant

The overall goal of Lacework is to never report a resource as compliant if it is not. Policy queries need adequately reliable information to determine non-compliance, and the methodology used is biased towards determining non-compliance, not compliance. It is possible for Lacework to determine a collection to be Could not assess and a policy using that collection in some way to be non-compliant. The granularity of assessment capability will be refined in later releases.