Kubernetes security finding remediation workflow
one engagement record across clusters, posture, RBAC, admission, and workloads

CIS Kubernetes Benchmark and NSA/CISA Kubernetes Hardening Guidance against the control plane, the etcd configuration, the API server flags, the kubelet configuration, the cluster CNI, and the node OS hardening. Owner archetype is the platform team that owns the cluster lifecycle. Closure depends on a cluster configuration change, a managed control plane provider update, or a documented exception where the managed control plane does not expose the control.

ClusterRoleBindings that grant cluster-admin to broad subjects, RoleBindings that bridge namespaces, namespace-admin paths that bypass intended segregation, dormant service accounts with tokens, automountServiceAccountToken on workloads that do not need cluster API access. Owner archetype is the cluster admin plus the namespace owner. Closure depends on a binding deletion, a least-privilege rewrite, a service account rotation, or a documented exception with a compensating control.

Pod Security Admission profile (privileged, baseline, restricted) per namespace, Kyverno or OPA Gatekeeper policy coverage, image signing admission, registry allowlist enforcement, resource limit policy. Owner archetype is the policy team plus the namespace owner whose workload triggered the policy. Closure depends on a workload manifest change to meet the policy, a policy exemption with documented rationale, or a policy refinement to handle the legitimate case.

Missing default-deny in production namespaces, cross-namespace exposure without explicit allow, missing egress restrictions, missing service mesh AuthorizationPolicy, ingress controller exposure without rate limit or WAF. Owner archetype is the platform team plus the namespace owner. Closure depends on a NetworkPolicy or service mesh policy addition, a documented exception with compensating runtime detection, or an architecture change that retires the exposure.

Privileged containers, hostNetwork or hostPID workloads, hostPath mounts, capability drops missing, runAsRoot without justification, missing securityContext, missing resource limits, missing readOnlyRootFilesystem. Owner archetype is the namespace owner plus the AppSec team. Closure depends on a workload manifest change, a documented exception for a legitimate case (CNI components, monitoring agents), or a workload retirement.

Kubernetes Secrets stored without envelope encryption at rest, ConfigMaps holding credentials, Secrets mounted into containers that do not need them, sealed-secrets or external-secrets configuration drift, service account token mounting on workloads that should be without. Owner archetype is the namespace owner plus the platform team that operates the secrets backend. Closure depends on a workload reconfiguration, an external-secrets adoption, or an exception with hard expiry.

The platform team owns the cluster lifecycle (control plane, nodes, CNI, ingress controller, cluster-level operators). Cluster posture findings (CIS Kubernetes benchmark items, node hardening, control plane configuration) route to the platform team by default. The named owner field on the finding is the platform engineer or the platform team that owns the cluster the finding is scoped to.

Each namespace has a named owner team. Workload findings (privileged container, hostPath mount, missing securityContext, missing resource limits, RBAC bindings inside the namespace) route to the namespace owner. The team management role grants the namespace owner read+amend access to the findings inside their namespace and read-only access to the cluster-level findings.

A dedicated policy team (often inside the platform team) owns Kyverno, OPA Gatekeeper, or native PSA configuration. Admission policy gaps (missing policy coverage, audit-mode policies that should be in enforce, policy false positives) route to the policy team. Workload-level policy violations route to the namespace owner with the policy team as watcher so the policy refinement decision lands on the same record as the workload fix decision.

The AppSec team is named as watcher on every workload security finding so the cross-cluster pattern (the same misconfiguration appearing across many namespaces, the same image producing the same finding across services) is visible without making the AppSec team the per-namespace owner. AppSec drives the systemic fix (a hardened base manifest, a Helm chart template change, a Kustomize overlay) while the namespace owner closes the per-workload instance.

A privileged container in a sandbox namespace and a privileged container in a production payments namespace differ by blast radius and by regulatory exposure. The calibration step reads the namespace tier (production, staging, sandbox, dev) and the data sensitivity (PCI, PHI, PII, internal) and recalibrates severity accordingly. The recalibration lands as a state event with cited rationale so the audit lookback reads the calibrated severity with provenance.

A misconfigured workload behind an internet-facing ingress and the same misconfigured workload on a cluster-internal service differ by attack path length. The calibration reads the workload exposure (internet-facing through ingress, internal behind service mesh, cluster-internal only) and recalibrates severity. The exposure field comes from the ingress controller configuration, the service mesh authorization policy, and the namespace network policy posture.

A cluster-admin path on a workload and a namespace-scoped path on the same workload differ by blast radius. The calibration reads the RBAC binding path (cluster-admin, namespace-admin, single-resource), the capability drops missing on the container (NET_ADMIN, SYS_ADMIN, SYS_PTRACE), and the service-account token mounting and recalibrates severity. The calibration is the per-finding answer to the question of what the attacker actually reaches if this misconfiguration is exploited.

A configuration finding the runtime detection has not seen exploited and the same configuration finding with active runtime detection evidence differ by exploitability. The calibration reads the runtime detection feed (Falco, Sysdig runtime, Aqua runtime, Tetragon, Datadog runtime) and the threat intelligence feed (CVE references in the underlying images, KEV catalogue entries for components on the workload) and recalibrates severity. Active runtime evidence on a finding moves the priority anchor independent of the KSPM default.

A misconfiguration in one cluster and the same misconfiguration replicated across thirty clusters in the fleet differ by blast radius. The cross-engagement search and merge surface reads the same misconfiguration identity across cluster engagements so the per-instance triage carries the fleet context (whether this finding is isolated or a systemic pattern). Fleet-propagated findings carry a higher calibration anchor than isolated ones because the systemic fix path differs from the per-instance reconfiguration.

KSPM lives in Wiz, runtime lives in Sysdig, admission lives in Kyverno PolicyReports, RBAC lives in a tabletop output, network policy lives in an annual review slide. Five consoles, five queues, five exception models, and no engagement record holding the cluster posture across all of them. Leadership sees the headline that the last vendor demo showed and the audit lookback reconstructs the picture from screenshots.

A privileged container fires from KSPM at the next posture cycle, from admission-controller logs when the workload was first applied, and from runtime detection when the pod started. Three sources surface what is operationally one issue, and the team triages each one separately because there is no shared identity record. The same closure narrative is written three times and the audit cannot tell how many distinct issues actually existed in the cluster.

A privileged container in a sandbox namespace and a privileged container in a production payments namespace land at the same KSPM default severity. The team treats every finding the same and the leadership scorecard reads the same number it read last quarter. Calibration that should be a state event with cited rationale becomes drift, and the audit lookback reads the wrong severity profile because nobody recorded the calibration decision.

A policy is deployed in audit or warn mode to measure impact before enforcement. The team gets busy. The warn mode never becomes enforce mode because the cleanup of existing violating workloads has no engagement record holding the work. Months later the cluster still admits violating workloads, the audit lookback reads a policy that does nothing, and the next leadership review reads a policy coverage figure that overstates the protection.

A team accepts a hostNetwork workload "for the quarter" because the migration is blocked on a vendor change. The decision lives in a Slack thread, the admission policy carries a hard-coded exemption forever, and twelve months later nobody remembers why the exemption exists. The next audit reads an active policy bypass with no approver, no rationale, and no expiry. The structured override workflow exists for exactly this case; without it Kubernetes policy exemptions accumulate as silent drift.

The KSPM rule stops firing after the workload is reconfigured and the console auto-resolves the finding. The team trusts the auto-close and moves on. The audit then asks for the evidence that the cluster configuration actually addressed the underlying issue (and that the rule did not stop firing because the workload was simply deleted, the namespace was scoped out of the next scan, or the rule pack was downgraded). Verification is not the absence of a rule firing; it is a recorded retest with cited evidence on the engagement record.

Vulnerability management reports include scanner findings, pentest findings, container image CVEs, and SAST findings, but treat Kubernetes posture as a separate world the platform team manages alone. The CISO reads two parallel posture stories that never reconcile. When the next regulatory briefing asks for the Kubernetes misconfiguration risk profile, the team has to assemble it manually from five vendor exports. Kubernetes findings belong on the same engagement spine the rest of the programme runs against.

The headline view: open Kubernetes findings by finding source (KSPM, RBAC, admission, network, runtime), by cluster, by namespace, and by control reference. The view that distinguishes a working programme from one where the leadership read overstates coverage because one source dominates and the others go missing.

Time-to-resolve by severity and by ownership archetype, in-flight findings approaching SLA breach, and SLA breach trend by cluster. The view that distinguishes a working Kubernetes remediation programme from one where the platform team closes its slice on time and the namespace owners silently age their queue.

Admission policies in enforce, audit, and warn mode, with the namespaces where each mode applies and the workloads that triggered the policy. The view that surfaces audit-mode-forever policies before they become permanent silent bypass.

Active risk acceptances and policy bypasses with cited reason, named approver, scope, and expiry. The view that distinguishes time-bound exceptions from drift and surfaces approaching expirations before they go silent.

The proportion of findings that match the same identity across multiple clusters in the fleet. A high duplicate rate is a leading indicator that a systemic fix path (a hardened Helm chart, a base manifest change, a Kustomize overlay) is more efficient than per-cluster remediation.

Mapped control coverage across CIS Kubernetes Benchmark, NSA Hardening Guidance, ISO 27001, SOC 2, PCI DSS, CSA CCM, NIS2, and DORA. The view the GRC team uses to assemble assessor evidence without re-doing the mapping per audit cycle, plus the activity-log export that is the trail behind the coverage figures.

Kubernetes finding remediation depends on cloud security assessment for the broader cloud programme, CSPM finding remediation for the per-cloud-account posture layer that composes with the per-cluster posture, container image vulnerability remediation for the per-image CVE layer the cluster workloads run, secret scanning remediation for the secrets that surface in Kubernetes Secrets and ConfigMaps, asset criticality scoring for the namespace tier decision, and security finding ownership and routing for the named owner routing pattern.

Findings repeating across the cluster fleet pair with vulnerability finding merge and supersede for fleet-wide identity, with cross-engagement finding search for the fleet view, with vulnerability acceptance and exception management for the exception register, with security finding fix verification for the per-finding verification pattern, and with security leadership reporting for the recurring read into the leadership cycle.