Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Getting started with Kubernetes® Security Posture Management (KSPM) in Yandex Security Deck

Written by
Updated at October 13, 2025

Note

Kubernetes® Security Posture Management (KSPM) is at the Preview stage and provided upon request. Also, it requires access to Security Deck workspaces.

To get access, contact support or your account manager.

If you want to use an AI assistant to work with alerts, request access to it as well.

Kubernetes Security Posture Management (KSPM) ensures the security of containerized applications and images they use.

The KSPM module automatically identifies all Kubernetes clusters and containers in the specified workspace, and deploys security components in them as defined in the configuration. New clusters automatically get security coverage, without requiring manual search or installation of any components.

The module continuously assesses workloads for misconfigurations and provides runtime security monitoring through sensors that detect attacks targeting nodes and containers.

Warning

To use the KSPM module, the minimum role you need for the folder specified in the workspace is security-deck.admin.

Users who will later monitor failures in Managed Service for Kubernetes clusters need the minimum role of kspm.admin for the folder specified in the workspace.

Activating the KSPM module

To get started with KSPM:

  1. Create a service account KSPM will use to view Managed Service for Kubernetes cluster info, install the necessary components, and perform checks.

  2. Assign to the service account the security-deck.worker role for the organization, cloud, or folder.

    Note

    KSPM will only have access to the Managed Service for Kubernetes clusters residing in the corresponding organization, cloud, or folder.

    If you have assigned the role for a particular folder, the service account will also need the auditor role for the cloud.

  3. Create a Security Deck workspace configured as follows:

    • In the connector settings under Resources:

      • Select the service account you created earlier.

      • Specify the clouds and folders you want to control the security of Managed Service for Kubernetes clusters in.

        Tip

        Later on you will be able to further narrow the scope of control in the KSPM settings.

    • Under Security compliance, select the industry standards and regulations the resources you chose at the previous step will be benchmarked against.

      • Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Restricted profile. A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required.
      • Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Baseline profile. A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security.
      • Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the Microsoft Threat Matrix for Kubernetes, which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.

      You can select several standards at the same time. The Control modules section will display the Security Deck modules, which will be activated in the new workspace to check your resources for compliance with the selected standards and regulations.

  4. Complete the KSPM setup:

    1. Click Workspace parameters on the new workspace page.

    2. Navigate to the KSPM tab.

    3. Under Scope of control, select the clouds, folders, or clusters within the workspace resources where compliance with the Kubernetes security rules will be enforced.

      Warning

      A cluster can only belong to one Security Deck workspace. Otherwise, there will be conflicts.

    4. Click Save and confirm the action.

      Once you do that, the necessary components will be automatically installed in the yc-security namespace in the Managed Service for Kubernetes clusters that are within the scope of control.

      Depending on cluster size, component installation may take from 1 to 10 minutes.

Tip

To remove clusters from the control scope and to stop monitoring them for security, delete the Security Deck workspace or disable the Kubernetes security standards.

Using KSPM

  1. Go to Yandex Security Deck.
  2. In the left-hand panel, select KSPM.
  3. At the top of the window, click More and select the workspace.
  4. On the Clusters tab, make sure all the clusters are connected to KSPM and are in the active control status.
  5. Review the Dashboard tab. It has the following sections:

    • Top controls with warnings: Contains the most frequently violated rules within the control scope and gives the number of violations.

    • Section with overall statistics for the scope of control: Gives the number of clusters with KSPM connection errors, numbers of clusters with security warnings, number of Tops clusters with warnings, and number of violations.

    • A list of alerts stating threat type, status, and last update time.

      For each security rule violation, an alert is created with a detailed description of the violation, severity, detection time, list of affected resources and troubleshooting recommendations.

      You can manage troubleshooting for each specific alert:

      • Assign persons responsible for troubleshooting.
      • Manage the alert status.
      • Leave comments.
      • Keep track of troubleshooting progress.
      • Request analysis from the AI assistant.

Kubernetes control rules

To view active Kubernetes control rules:

  1. Go to Yandex Security Deck.

  2. In the left-hand panel, select Control rules.

  3. At the top of the window, click More and select the workspace for which you want to view the rule info. Use search, if required.

  4. On the Security control rules page that opens, go to the Kubernetes® tab. The section that opens lists the control rules that form a part of the security standards specified for the current workspace.

    For each rule, the table displays the following information:

    Tip

    If you need to, you can change the info columns displayed in the table. Do it by clicking in the row with the table column headers, selecting the info columns you need, and clicking Apply.

    • : Rule criticality level. This icon indicates how security-critical the rule is:

      • : Remark
      • : Low severity
      • : Medium severity
      • : High severity

    • Control rule: Rule name and brief summary.

    • Rule sets: Icon(s) for the security standards that are using this rule. If the icon is colored, it means the rule is checked for the corresponding standard. If the icon is gray, it means it is not.

    • Verification method: How the infrastructure controlled in the workspace is checked for compliance with this rule:

      • automatic
      • manual

    • ID: Rule ID in Yandex Cloud.

    • Violations: Number of rule violations detected.

  5. To view detailed information about a specific rule, click the table row with its name. The detailed info window that opens includes the following tabs:

    In addition to the data shown in the general rule info table, the Overview tab contains:

    • Date and time of the most recent security check.
    • Details on the monitored features, their configurations, or actions performed with them.

    The Violations tab lists security violations detected during checks. Detected violations will not appear in this list if they satisfy the exception criteria specified for the rule.

    The Recommendations tab provides guides and solutions to help you perform the actions required by the rule.

Viewing the list of exceptions from the rules

To view the list of exceptions from the Kubernetes security control rules applicable to the workspace:

  1. Go to Yandex Security Deck.

  2. In the left-hand panel, select Control rules.

  3. At the top of the window, click More and select the workspace for which you want to view the info on control rule exceptions. Use search, if required.

  4. On the Security control rules page that opens, go to the Exceptions tab.

    The list of exceptions for the Kubernetes rules is provided under KSPM and contains the following fields:

    • Exception: Reason for exception.
    • Status: Active or inactive.
    • Rules: List of rules for which compliance check has been excluded.
    • Author: User who created the exception.
    • Date of creation: Date and time the exception was created.

Creating an exception

To create a new exception for the Kubernetes control rules:

  1. Go to Yandex Security Deck.
  2. In the left-hand panel, select Control rules.
  3. At the top of the window, click More and select the workspace in which you want to create an exception from the control rules. Use search, if required.
  4. On the Security control rules page that opens, go to the Exceptions tab.
  5. In the top-right corner, click Create exception and select KSPM. In the window that opens:

    1. Under Scope of control, specify the resources you want to exclude when checking the Kubernetes control rules:

      • All resources: To exclude all resources controlled in the workspace.

      • Selected resources: To exclude only some resources. To select resources excluded from the check:

        • Click Select resources.
        • In the window that opens, select the resources to exclude from the rule and click Apply.

    2. Under Excepted rules, select the Kubernetes control rules the selected resources should not be checked against:

      • All rules: To exclude the selected resources from the check for compliance with all the Kubernetes control rules.

      • Selected rules: To exclude the selected resources from the check for compliance with a given set of rules. To select rules for which compliance check will be disabled based on the exception you are creating:

        • Click Select rules.
        • In the window that opens, select the rules you want to exclude from compliance check. If required, use the filter or search at the top of the window.
        • Click Save selection.

    3. Under Reason for exclusion, give in any format the reason why you are creating an exception.

    4. Select Activate exception.

    5. Click Create exception.

The new exception will now be displayed under KSPM on the Exceptions tab of the Security control rules page.

Deleting an exception

To delete an exception for the Kubernetes control rules:

  1. Go to Yandex Security Deck.
  2. In the left-hand panel, select Control rules.
  3. At the top of the window, click More and select the workspace in which you want to delete an exception from the control rules. Use search, if required.
  4. On the Security control rules page that opens, go to the Exceptions tab.
  5. Under Configuration control, in the row with the exception you want to delete, click and select Delete.

This will remove the exception from the workspace and cancel the restrictions it imposed on rule checks.

See also

Previous
Creating a scan
Next
Viewing a list of access permissions