Containers & Kubernetes (expanded)29 items

Tags: Admission, OPA, Kyverno

Question: Do admission controllers (OPA/Kyverno) enforce pre-deploy security policies?

Applicable Requirements:
- NIST 800-53: CM-7, SI-10
- CIS Benchmark: Kubernetes

Applicability: K8s clusters any cloud/on‑prem

Expected Result: Block privileged pods, hostPath, :latest images, missing probes; require signed images.

Why It Matters: Stops risky workloads at the gate.

Technical Breakdown:

1. Deny default SA mounts; require limits/requests.
2. Break-glass labels with approvals.

Tags: Cosign, SLSA

Question: Are images signed (Cosign) and verified at admission?

Applicable Requirements:
- NIST 800-53: SA-12, SI-7

Applicability: All images

Expected Result: cosign signatures; provenance (SLSA); block unsigned.

Why It Matters: Prevents tampered images.

Technical Breakdown:

1. Store signatures in registry; Gatekeeper constraints; digest pinning.

Tags: NetworkPolicy

Question: Do NetworkPolicies enforce namespace/label allowlists and default deny?

Applicable Requirements:
- NIST 800-53: SC-7

Applicability: Multi-tenant clusters

Expected Result: Default deny ingress/egress; explicit allow to known services.

Why It Matters: Limits lateral movement.

Technical Breakdown:

1. Calico/Cilium; log drops; restrict egress to DNS/KMS/APIs.

Tags: Falco, eBPF

Question: Is runtime monitoring (Falco/eBPF) detecting exec/shell, crypto-miners, and privilege abuse?

Applicable Requirements:
- NIST 800-53: SI-4

Applicability: Prod clusters

Expected Result: Alerts on abnormal syscalls; optional kill/quarantine.

Why It Matters: Detects post-exploit behavior.

Technical Breakdown:

1. Ship events to SIEM; suppress benign noise; response runbooks.

Tags: K8s, Platform

Question: Is baseline/restricted PSP/PSS enforced cluster-wide with exceptions audited?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Are secrets mounted via CSI + KMS and never baked into images?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Are cloud API calls made via workload identity instead of static keys?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Are nodes hardened per CIS with minimal host packages and regular patching?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Are egress policies enforced with proxying and FQDN allowlists?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Is tenancy isolated by namespaces/projects and network policies?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Are charts locked by digest and verified from trusted repos?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Are deployers (ArgoCD/GitOps) using least-privilege service accounts and SSO?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Is etcd encrypted at rest with TLS and separate keys?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s, Platform

Question: Are etcd and PVs backed up and restores tested?

Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC7.2

Applicability: K8s clusters and platform ops.

Expected Result: Controls configured and audited; exceptions tracked.

Why It Matters: Reduces platform compromise risk.

Technical Breakdown:

1. Baseline policies; periodic audits; integrate with CSPM.

Tags: K8s

Question: Is the following control enforced: Registry Access Policies?

Applicable Requirements:
- NIST 800-53: CM-7, SC-7
- SOC 2: CC7.2

Applicability: Cluster image pulls

Expected Result: Allowlist registries; signed images only; no :latest

Why It Matters: Prevents resource abuse, privilege escalation, and secret leakage.

Technical Breakdown:

1. Policy-as-code; periodic audits; runtime verify.

Tags: K8s

Question: Is the following control enforced: Resource Quotas & Limits?

Applicable Requirements:
- NIST 800-53: CM-7, SC-7
- SOC 2: CC7.2

Applicability: Namespaces

Expected Result: Quotas to prevent noisy neighbors; enforce limits

Why It Matters: Prevents resource abuse, privilege escalation, and secret leakage.

Technical Breakdown:

1. Policy-as-code; periodic audits; runtime verify.

Tags: K8s

Question: Is the following control enforced: Horizontal Pod Autoscaling Safety?

Applicable Requirements:
- NIST 800-53: CM-7, SC-7
- SOC 2: CC7.2

Applicability: Auto-scaling workloads

Expected Result: HPA with sane min/max; protect from thrash

Why It Matters: Prevents resource abuse, privilege escalation, and secret leakage.

Technical Breakdown:

1. Policy-as-code; periodic audits; runtime verify.

Tags: K8s

Question: Is the following control enforced: RBAC Granularity?

Applicable Requirements:
- NIST 800-53: CM-7, SC-7
- SOC 2: CC7.2

Applicability: Cluster roles

Expected Result: No cluster-admin to apps; least-privilege roles

Why It Matters: Prevents resource abuse, privilege escalation, and secret leakage.

Technical Breakdown:

1. Policy-as-code; periodic audits; runtime verify.

Tags: K8s

Question: Is the following control enforced: Secrets Rotation?

Applicable Requirements:
- NIST 800-53: CM-7, SC-7
- SOC 2: CC7.2

Applicability: K8s Secrets

Expected Result: Periodic rotation; CSI-backed; avoid env vars

Why It Matters: Prevents resource abuse, privilege escalation, and secret leakage.

Technical Breakdown:

1. Policy-as-code; periodic audits; runtime verify.

Tags: K8s-Advanced

Question: Is the following control enforced: Pod Security Admission (PSA)?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: K8s 1.25+

Expected Result: Enforce baseline/restricted; audit exceptions

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: ETCD Peer TLS & Auth?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Control plane

Expected Result: Mutual TLS between etcd peers/clients

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: Kubelet ReadOnlyPort Off?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Nodes

Expected Result: Disable readOnlyPort; authz kubelet

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: Audit Policy?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: APIServer

Expected Result: Audit policy with request/response metadata to SIEM

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: CNI Integrity?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Networking

Expected Result: CNI from trusted source; pinned versions; signed

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: Image Pull Secrets Scope?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Namespaces

Expected Result: Per-namespace secrets; no cluster-wide secrets

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: Admission Webhook TLS?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Admission

Expected Result: Webhook servers with TLS/mTLS; cert rotation

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: Job/CronJob Controls?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Batch

Expected Result: TTL controllers; resource caps; watch for runaway jobs

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: Node Auto-Repair?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Managed K8s

Expected Result: Enable auto repair/drain; surge upgrades

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.

Tags: K8s-Advanced

Question: Is the following control enforced: Privileged Escapes Detection?

Applicable Requirements:
- NIST 800-53: SC-7, SI-4, CM-7
- SOC 2: CC7.2

Applicability: Runtime

Expected Result: Detect /proc, /sys, CAP_SYS_ADMIN abuse

Why It Matters: Closes K8s control-plane and runtime escape paths.

Technical Breakdown:

1. Harden API server/kubelet; sign/verify all components; monitor for escapes.