- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Kubernetes Security Posture Management (KSPM) for Cloud Security Management (CSM) helps you proactively strengthen the security posture of your Kubernetes deployments by benchmarking your environment against established industry best practices, such as those defined by CIS, or your own custom detection policies.
To take full advantage of KSPM, you must install both the Datadog Agent and cloud integrations. For detailed instructions, see the following articles:
This allows Datadog to detect risks in your Kubernetes deployments for each of the following resource types:
Resource Type | Install Method | Framework |
---|---|---|
aws_eks_cluster | cloud integration | cis-eks |
aws_eks_worker_node | Agent | cis-eks |
azure_aks_cluster | cloud integration | cis-aks |
azure_aks_worker_node | Agent | cis-aks |
kubernetes_master_node | Agent | cis-kubernetes |
kubernetes_worker_node | Agent | cis-kubernetes |
With KSPM, Datadog scans your environment for risks defined by more than 50+ out-of-the-box Kubernetes detection rules. When at least one case defined in a rule is matched over a given period of time, a notification alert is sent, and a finding is generated in the Misconfigurations Explorer.
Each finding contains the context you need to identify the issue’s impact, such as the full resource configuration, resource-level tags, and a map of the resource’s relationships with other components of your infrastructure. After you understand the problem and its impact, you can start remediating the issue by creating a Jira ticket from within CSM or by executing a pre-defined workflow.
Note: You can also use the API to programmatically interact with findings.
CSM provides a security posture score that helps you understand your security and compliance status using a single metric. The score represents the percentage of your environment that satisfies all of your active out-of-the-box cloud and infrastructure detection rules. You can obtain the score for your entire organization, or for specific teams, accounts, and environments, including Kubernetes deployments.
For an in-depth explanation on how the security posture score works, see Security posture score.
To view the security posture score for your Kubernetes deployments, navigate to the Security > Compliance page and locate the CIS Kubernetes frameworks reports.
To view a detailed report that gives you insight into how you score against the framework’s requirements and rules, click Framework Overview. On the framework page, you can download a copy of the report as a PDF or export it as a CSV.
In addition to the out-of-the-box detection rules, you can also create your own Kubernetes detection rules by cloning an existing rule or creating a new one from scratch. Rules are written in the Rego policy language, a flexible Python-like language that serves as the industry standard for detection rules. For more information, see Writing Custom Rules with Rego.
After you create the detection rule, you can customize its severity (Critical
, High
, Medium
, Low
, or Info
) and set alerts for real-time notifications to notify you when a new finding is detected.