Compliance

Kubernetes compliance frameworks

Short answer

Kubernetes compliance sits at the intersection of infrastructure posture and control frameworks. The technical benchmarks (CIS Kubernetes, NSA/CISA Kubernetes Hardening Guidance, Pod Security Standards) are prescriptive: they specify which config flag to set. The business frameworks (SOC 2, PCI DSS, HIPAA, ISO 27001, NIST SP 800-190) are outcome-oriented: they describe controls rather than settings. A KSPM tool bridges both by running the technical benchmarks automatically and mapping each finding to the controls that matter for the audit.

The technical benchmarks

  • CIS Kubernetes Benchmark. Around 120 controls covering the control plane, worker nodes, and workload defaults. The de-facto standard. Cloud variants: CIS EKS, CIS GKE, CIS AKS. See the deep dive.
  • NSA/CISA Kubernetes Hardening Guidance. Published August 2021, updated 2022. Less prescriptive than CIS, more focused on threat models and practical hardening (network segmentation, authentication, logging).
  • Pod Security Standards. The successor to PodSecurityPolicy. Three tiers: Privileged, Baseline, Restricted. Enforced by the built-in PodSecurity admission controller. See the deep dive.
  • NIST SP 800-190. Container security guide. Broader than Kubernetes. Covers images, registries, orchestrators, and runtime.

The business frameworks

  • SOC 2. AICPA framework for service organizations. Kubernetes contributes controls under Security, Availability, and Confidentiality. Auditors look for evidence of RBAC, logging, encryption, backup, and incident response.
  • PCI DSS. Payment card industry. If cardholder data touches a pod, the whole cluster is in scope. Scoping is the big fight. Network segmentation and isolation are the usual answer.
  • HIPAA. Healthcare. Technical safeguards map to encryption, audit trails, access control, and integrity.
  • ISO 27001. International information security management. Annex A controls map to most of CIS and NSA/CISA.

How compliance automation works

A KSPM tool reads each rule in a framework, maps it to one or more technical checks against cluster state, runs those checks continuously, and produces a live compliance score plus evidence artifacts (PDF or JSON reports) that auditors accept. The point of automation is evidence, not just checks. An auditor wants to see "these 47 pods were compliant with CIS 5.2.5 for the full quarter" rather than "we passed this morning."

Juliet compliance coverage

Juliet's Starter tier includes Pod Security Standards Baseline and Restricted. Team adds CIS Kubernetes Benchmark and NSA/CISA Hardening Guidance. Pro adds SOC 2, plus control mapping to PCI DSS, HIPAA, and ISO 27001 for audit evidence. Enterprise adds custom Rego policies for frameworks not included out of the box. Every check produces both a live finding and a point-in-time audit report. Dedicated first-class PCI DSS, HIPAA, and ISO 27001 scan profiles are on the roadmap.

Frequently asked about kubernetes compliance frameworks

Does passing CIS mean I am SOC 2 compliant?

No, but CIS covers a meaningful chunk of the Kubernetes-specific evidence SOC 2 needs. SOC 2 covers org-wide process: incident response, vendor management, employee onboarding. CIS covers cluster configuration. Both are required for a passing SOC 2 audit with Kubernetes in scope.

PSS Restricted or CIS, which first?

Pod Security Standards Baseline is the floor. Get Baseline green first. Then tackle CIS control-plane rules. PSS Restricted is a meaningful step up and often requires application changes (no root user, read-only root filesystem).

Can I achieve compliance without an agent in the cluster?

For control-plane checks on managed clusters, cloud APIs give limited visibility. For worker-node and workload checks, an agent is required. Most teams accept the agent because it is also the foundation for runtime and admission.

Do auditors accept KSPM tool output as evidence?

Increasingly yes, especially for Big 4 audits of Kubernetes-heavy environments. The requirement is that the tool produces signed, timestamped artifacts that can be exported and retained.

What about FedRAMP?

FedRAMP's control set is NIST SP 800-53. Kubernetes contributions map to AC (access control), AU (audit), CM (configuration management), SC (system and communications), and SI (system and information integrity). Juliet's roadmap includes FedRAMP-mapped reporting for public-sector customers.

Related reading

CIS Kubernetes Benchmark

The CIS Kubernetes Benchmark is the de-facto security checklist for clusters: around 120 controls spanning the control plane, worker nodes, and workload defaults.

Read more →

Pod Security Standards

Pod Security Standards (PSS) replace PodSecurityPolicy.

Read more →

What is KSPM?

KSPM (Kubernetes Security Posture Management) continuously inspects Kubernetes clusters for misconfigurations, risky permissions, and policy drift.

Read more →

Admission control

Admission control intercepts Kubernetes API requests before they reach etcd and can reject or mutate bad configurations.

Read more →

See this in your clusters

Juliet maps your Kubernetes security posture as a graph and ranks findings by reachable attack paths, not just CVSS. Free tier, five-minute setup, no credit card.

Get Started Free Book a Demo