Activating KSPM

The KSPM module allows you to flexibly select and customize security rules to meet your organization's specific requirements, as well as create rule exceptions.

To get started with KSPM:

1. Create a service account KSPM will use to view Managed Service for Kubernetes cluster info, install the necessary components, and perform checks.

2. Assign to the service account the security-deck.worker role for the organization, cloud, or folder.

   Note

   KSPM will only have access to the Managed Service for Kubernetes clusters residing in the corresponding organization, cloud, or folder.

   If you have assigned the role for a particular folder, the service account will also need the auditor role for the cloud.

3. Create a Security Deck workspace configured as follows:

   • In the connector settings under Resources:

     • Select the service account you created earlier.

     • Specify the clouds and folders you want to control the security of Managed Service for Kubernetes clusters in.

       Tip

       Later on you will be able to further narrow the scope of control in the KSPM settings.

   • Under Security compliance, select the industry standards and regulations the resources you chose at the previous step will be benchmarked against.

     • Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Restricted profile. A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required.
     • Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the Kubernetes Pod Security Standards (PSS) Baseline profile. A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security.
     • Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the Microsoft Threat Matrix for Kubernetes, which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.

     You can select several standards at the same time. The Control modules section will display the Security Deck modules, which will be activated in the new workspace to check your resources for compliance with the selected standards and regulations.

4. Complete the KSPM setup:

   1. Click Workspace parameters on the new workspace page.

   2. Navigate to the KSPM tab.

   3. Under Scope of control, select the clouds, folders, or clusters within the workspace resources where compliance with the Kubernetes security rules will be enforced.

      Warning

      A cluster can only belong to one Security Deck workspace. Otherwise, there will be conflicts.

   4. Click Save and confirm the action.

      Once you do that, the necessary components will be automatically installed in the yc-security namespace in the Managed Service for Kubernetes clusters that are within the scope of control.

      Depending on cluster size, component installation may take from 1 to 10 minutes.