📊 KUBESCAPE SECURITY REPORT

Cluster Security Posture

Automated security scanning across NSA, MITRE ATT&CK, CIS, SOC2, and DevOps best practices frameworks.

CLUSTER

admin@edgit-k8s

SCAN DATE

2026-03-18

KUBESCAPE

v4.0.3

NAMESPACES

RESOURCES

~946

COMPLIANCE SCORES BY FRAMEWORK

Each framework evaluates a different set of security controls. CIS is the most comprehensive with 40 controls.

NSA

2/20 controls passed

MITRE

2/19 controls passed

CIS

7/40 controls passed

SOC2

1/7 controls passed

DevOps

3/15 controls passed

Severity Distribution

Findings grouped by severity level across all frameworks.

Critical

6% of total

High

36% of total

Medium

36% of total

Low

21% of total

HIGH SEVERITY FINDINGS

12 findings

Missing CPU limits

367 containers

27%

NSADevOps

Missing memory limits

298 containers

36%

NSADevOps

Containers running as root

251 containers

35%

NSACIS

Credentials in config files

27 resources

93%

NSAMITRESOC2

Privileged containers

24 pods

90%

NSAMITRECIS

Writable hostPath mounts

37 pods

85%

MITRE

HostPath mounts

40 pods

84%

MITRE

List K8s secrets (RBAC)

68 roles

72%

MITRESOC2

HostNetwork access

7 pods

97%

NSACIS

#10

Insecure capabilities

11 pods

96%

NSA

#11

Host PID/IPC privileges

5 pods

98%

NSA

#12

Ingress TLS encryption

2 ingresses

33%

SOC2

MEDIUM SEVERITY FINDINGS

12 findings

No Network Policies

53/57 namespaces

11%

NSAMITRECISSOC2

SA token automount

210 SAs / 223 pods

53%

NSACIS

Container SA access

161 pods

22%

MITRE

Allow privilege escalation

115 pods

54%

NSACIS

Missing seccomp profile

146 pods

41%

CIS

Missing Linux hardening

118 pods

53%

NSA

Unencrypted PVs

72 PVs

SOC2

Missing liveness probes

130 pods

48%

DevOps

Secrets as env vars

137 env refs

83%

CIS

#10

Roles with delete caps

40 roles

84%

MITRE

#11

Administrative Roles

5 roles

98%

NSAMITRESOC2

#12

Admission ctrl not validated

25 webhooks

MITRE

LOW SEVERITY FINDINGS

7 findings

Missing labels

188 resources

24%

DevOps

Immutable container FS

139 pods

44%

CIS

Missing readiness probes

112 pods

55%

DevOps

Missing CPU requests

134 containers

46%

DevOps

Missing memory requests

139 containers

44%

DevOps

Image pull policy latest

6 pods

98%

DevOps

Naked pods (no controller)

3 pods

93%

DevOps

Security Coverage Gaps

Network policy enforcement and Pod Security Standards adoption across all namespaces.

Network Policy Coverage

argocd (7)

tenant-team-alpha (1)

keycloak (1)

apisix (1)

53 namespaces without policies

Pod Security Standards

restricted 3

tenant-team-alphatenant-test-orgtenant1

baseline 1

cert-platform

privileged 7

autoscalingeraser-systemfalcogpu-operatorlonghorn-systemobservabilitytikv

No PSS enforcement 46 namespaces

Compliance Score Targets

Projected scores after each remediation phase. Current scores shown as solid bars.

NSA 65% → 90%

65%

Current

P1: 75% P2: 82% P4: 90%

MITRE 66% → 88%

66%

Current

P1: 73% P2: 80% P4: 88%

CIS 43% → 78%

43%

Current

P1: 55% P2: 65% P4: 78%

SOC2 64% → 90%

64%

Current

P1: 72% P2: 82% P4: 90%

DevOps 69% → 92%

69%

Current

P1: 80% P2: 85% P4: 92%

Remediation Roadmap

Phased approach from quick wins to advanced hardening — prioritized by impact and risk.

Quick Wins

Week 1-2 Low risk

Pod Security Standards enforcementDisable SA token automountKyverno resource limits policyRequired labels policy

Network Segmentation

Week 2-4 Medium risk

Default-deny CiliumNetworkPoliciesPer-namespace allow rulesRBAC secret access auditVault/Postgres/Keycloak isolation

Workload Hardening

Week 3-6 Medium risk

Security contexts (non-root)Secrets → volume mountsRead-only root filesystemLiveness & readiness probes

Advanced Hardening

Week 6-8 Higher risk

Disallow privileged containersPersistent volume encryptionSeccomp profile enforcementAudit log configuration

Ongoing Governance

Continuous Low risk

Kubescape Operator installKyverno policy consolidationWeekly scheduled scansCompliance trend tracking

ACCEPTED RISKS

Infrastructure components that legitimately require elevated privileges. These are expected and documented.

Cilium CNI

kube-system

privileged hostPath root

Longhorn

longhorn-system

privileged hostPath root

NVIDIA GPU Operator

gpu-operator

privileged hostPath root

NFS CSI

kube-system

privileged hostPath root

Node Exporter

observability

hostPath root

Alloy (logs)

observability

hostPath

Alloy (profiles)

observability

privileged root

Eraser

eraser-system

hostPath root

← BACK TO SECURITY