Best practice

Make sure your cluster configuration follows industry standards best practices

Suggest Edits

The Best Practice report on the CAST AI platform is a powerful tool for assessing the security posture of your Kubernetes clusters against industry and DevOps best practices. The report provides a detailed evaluation of your resources, ensuring compliance with the security and operational standards set by CAST AI or the CIS for Kubernetes benchmarks.

CAST AI employs a transparent scoring system that prioritizes issues based on severity, enabling you to allocate resources effectively and streamline communication with the security team. The severity score and level of each issue are determined using the CVSS v3.1 (Common Vulnerability Scoring System) standard, providing a standardized approach to assessing the criticality of security vulnerabilities.

Access the report

To access the Best practice report, follow these steps:

  1. Log in to the CAST AI console.
  2. Select Security > Best practice from the sidebar.

πŸ“˜

Note

To receive a full assessment of your cluster, enabling the CAST AI Security feature is required. By default, the Best Practice report only provides a limited number of best practices without this feature. Please refer to the Getting started section for instructions on enabling CAST AI Security.

Inside the report

The Best Practice report comprehensively lists findings related to best practice violations in your Kubernetes environment. Each check in the report includes detailed information to help you understand and address the issue:

  • Check type: Indicates whether the check is Manual or Automated.

    • Manual checks require human intervention to determine if the system's configuration meets the expected state.
    • Automated checks can be evaluated automatically against the recommended state using configuration assessment tools, i.e., a pass/fail assessment result can be automatically achieved.

  • Description of the check: Offers a clear explanation of what the check is looking for and why it's important for your cluster's security and performance.

  • Severity level: Based on the Common Vulnerability Scoring System (CVSS), this indicates the potential impact of the issue. Levels range from Low to Critical, helping you prioritize your remediation efforts.

  • Number of affected resources: Provides a count of how many resources in your cluster are impacted by this particular best practice violation, giving you an idea of the issue's scope.

  • Relevant standards and configurations: This section lists the industry standards (such as CIS Benchmarks) and specific configurations related to this check, helping you understand its broader context and importance.

  • Remediation procedure: Offers step-by-step instructions on addressing the issue and bringing your cluster into compliance with best practices.

Report summary

The report is also summarized as a widget in the Security dashboard.

The widget provides a quick overview of your cluster's compliance status:

  • Overall compliance score: Shows the percentage of compliance with a specific benchmark.

  • Checks passed: Displays the number of passed checks out of the total.

  • Non-compliant resources breakdown:

    • Nodes: Shows the number of non-compliant nodes
    • Workloads: Indicates the number of non-compliant workloads
    • Other: Lists other non-compliant resources

  • Link to report: View the full, detailed compliance report.

This summary widget helps you quickly assess your cluster's security posture and identify areas that require immediate attention without needing to dive into the full report initially.

Filter resources

To focus on specific resources, use the filters located above the list.

The filters allow you to narrow down the view based on various criteria, such as:

  • Resource location (cluster or namespace)
  • Resource labels
  • Severity level
  • Compliance standard

By applying the appropriate filters, you can quickly identify the resources of interest and assess their compliance with best practices.

Access detailed compliance check information

Click on the check name to obtain more information about a specific failed check.

This action will open a detailed view containing:

  • Comprehensive description of the problem
  • Severity level of the issue
  • Remediation steps to address the violation
  • Number of affected resources
  • Resources associated with the check
  • Other relevant details

Manage exceptions

Sometimes, you may have resources that do not comply with best practices but are considered acceptable risks. The Best Practice report provides an exception feature that allows you to exclude such resources from the reporting.

Add an exception

To exclude specific resources from a best practice check, follow these steps:

  1. Click on the check you want to manage.
  2. Click the Exceptions button in the drawer's top right corner.
  3. In the new drawer that appears, define the exception rules by specifying the location, name, and kind of resource you want to exclude. You can create multiple exception rules as needed.
  1. Review the impacted resources in the table.
  2. If you are satisfied with the result, click the Apply button to save the exceptions.

To view the excluded resources for each check, select the Excepted value in the Resources filter in the Resources tab:

Remove or modify an exception

If you need to remove previously applied exceptions, follow these steps:

  1. Click on the check you want to manage.
  2. Click the Exceptions button in the drawer's top right corner.
  3. In the exception rules drawer, modify or remove the rules as needed.
  4. Review the dynamically updated list of excepted resources in the table.
  5. If you are satisfied with the changes, click the Apply button to save the modifications.

Updated about 21 hours ago