[multani]

For those who are implementing these security guidelines: how do you ensure they have been correctly implemented?

Do you have any kind of static check program that can check beforehand that you are going to deploy a hardened kubernetes cluster? Do you have a "live" checker that can verify the actual configuration of a running cluster? Does it run all the time oronce in a while? Also , if you have an automated way of verifying your configuration, which program do you use?

I only know about Chef's Inspec and the CIS profiles that are available online, but the experience wasn't extraordinary and I was wondering what is used in the wild?

[raesene9]

So there are various commercial systems that fall under CSPM (or KSPM sometimes) that are designed to assess compliance with different standards.

My purely personal opinion on this is that it's difficult to do well as even with compliance standards automating assessment isn't always possible

For example the CIS benchmark for k8s can't say "Never use cluster-admin" as there are some legitimate use cases, so instead it says "minimize the use of cluster-admin" which can't be fully automated as a check.

To do it well, a company should come up with their own spin on applicable standards, automate where possible (either with 3rd party or internal tooling) and then manually review the things that can't be automated on a periodic bassis (either with internal resource, or consultants)

[Kalium]

A lot of these things can't be meaningfully statically checked. It has to be done by a working policy apparatus. If your org can't adopt, implement, and adhere to policy then there's no amount of standards documents in the world that will help you much.

There's no way in the world to statically and automatically check if your org regularly reviews configurations, responds correctly to monitoring alerts, ensures your developers adhere to least privilege principles, and so on. It has to be policy.

[linuxftw]

The people that define the standards don't implement them. The people that implement them don't validate them. Government systems don't typically have any kind of system that periodically checks system configuration, though the systems might get reviewed every few years.

[sngz]

I'm implementing it right now actually and it's a combination of automated tools and someone third party actually going through and verifying all the controls.

[outworlder]

Maybe you can add them to OPA? (https://www.openpolicyagent.org/)