What is KSPM?
Kubernetes Security Posture Management (KSPM) is the continuous practice of scanning Kubernetes clusters for misconfigurations, excessive permissions, unsafe workload settings, and policy drift. A KSPM platform ingests every relevant cluster resource (pods, roles, network policies, admission rules) and grades it against benchmarks such as the CIS Kubernetes Benchmark, NSA/CISA Kubernetes Hardening Guidance, and Pod Security Standards. The goal is to know which clusters are safe to run in production and what needs to change to get them there.
How KSPM works
A KSPM tool runs an agent or read-only collector inside (or adjacent to) your Kubernetes cluster. It reads every relevant resource: Pods, Deployments, Services, RoleBindings, NetworkPolicies, Pod Security admission configuration, and the rest. It then evaluates each object against a library of security rules.
Some KSPM platforms go further than flat rule matching. They build a graph of how cluster resources connect: which ServiceAccount a Pod uses, which RoleBinding grants that ServiceAccount cluster-admin, which container image the Pod runs, which Node the Pod can schedule on. Graph-based KSPM is how a tool can answer questions like "does any internet-exposed pod have permission to read cluster-wide secrets?" A flat scanner cannot.
What KSPM covers
- Misconfigurations: containers running as root, privileged pods, hostPath mounts, missing resource limits,
allowPrivilegeEscalation, automountServiceAccountToken on unused pods. - Identity and RBAC: over-permissive ClusterRoles, wildcard verbs and resources, service accounts with cluster-admin, group-bound high-privilege roles.
- Network policy: namespaces with no default-deny, pods reachable from the internet, cross-namespace traffic that should not exist.
- Workload security: Pod Security Standards baseline and restricted enforcement, seccomp and AppArmor profiles, read-only root filesystem.
- Compliance frameworks: CIS Kubernetes Benchmark, NSA/CISA Kubernetes Hardening Guidance, Pod Security Standards, SOC 2 — with control mapping to PCI DSS, HIPAA, and ISO 27001 for audit evidence.
- Drift: changes to policy, RBAC, or image registries since the last scan.
KSPM, CSPM, and CNAPP
CSPM (Cloud Security Posture Management) inspects cloud provider resources: IAM, S3 buckets, VPCs, security groups. It rarely understands Kubernetes internals.
KSPM inspects the Kubernetes layer specifically: RBAC, workloads, policies, admission. Some KSPM tools also understand the relationships between resources.
CNAPP (Cloud-Native Application Protection Platform) is the umbrella category that includes KSPM, CSPM, vulnerability scanning, and runtime security. For a team whose critical workloads run on Kubernetes, the KSPM piece is the one that matters most. See KSPM vs CNAPP for a feature-by-feature breakdown.
Why a flat vulnerability scanner is not enough
A flat vulnerability scanner tells you a container has CVE-2024-1234. It does not tell you that the pod running that image is internet-exposed, uses a ServiceAccount bound to cluster-admin, and mounts a hostPath with a writable docker.sock. Every one of those is a separate finding in a traditional tool.
Graph-based KSPM connects them. The output looks like "this pod has a reachable path from the internet to cluster-admin, and here are the eight nodes in the chain." That kind of signal lets a security team focus on the findings that map to a real path instead of triaging thousands of disconnected CVEs. Attack path analysis covers how this works in more detail.
How Juliet does KSPM
Juliet is a graph-based KSPM platform. An agent runs inside each of your clusters and streams resource snapshots to a dedicated per-tenant Neo4j graph. Juliet evaluates that graph against built-in benchmarks (CIS, NSA/CISA, Pod Security Standards) and against reachability rules, so each finding is ranked by blast radius as well as severity.
The Starter tier is free forever and includes KSPM for one cluster. Setup is a single Helm install and first results appear within fifteen minutes.
Frequently asked about what is kspm?
Is KSPM the same as vulnerability scanning?
No. Vulnerability scanning finds CVEs in container images and OS packages. KSPM finds misconfigurations in the cluster itself: broad RBAC, missing network policies, pods running as root, absent admission controls. A complete Kubernetes security program usually has both, plus runtime detection.
How often should KSPM scans run?
Continuously. Kubernetes state changes frequently: new pods, new RoleBindings, new images. A KSPM tool that scans on a daily cron will miss real risk windows. Current tools use informers or event streams to re-evaluate posture within seconds of a change.
Does KSPM require agents in every cluster?
Most do. An agent (or lightweight collector) inside the cluster reads resources through the Kubernetes API and ships them to the KSPM platform. Agentless KSPM exists for managed clusters (EKS, GKE, AKS) where the cloud provider exposes the control plane, at the cost of less workload-level detail.
What compliance frameworks does KSPM typically cover?
The core benchmarks are the CIS Kubernetes Benchmark (and cloud-specific variants such as CIS EKS, GKE, AKS), NSA/CISA Kubernetes Hardening Guidance, and Pod Security Standards (Baseline and Restricted). Higher-tier KSPM tools also map findings to SOC 2, PCI DSS, HIPAA, ISO 27001, and NIST SP 800-190.
Can KSPM prevent bad configurations from being deployed?
Only when paired with admission control. KSPM on its own is read-only: it alerts. Admission controllers (ValidatingWebhookConfigurations, policy engines like OPA Gatekeeper or Kyverno) enforce at deploy time. A full KSPM product usually includes or integrates with an admission layer.
See this in your clusters
Juliet maps your Kubernetes security posture as a graph and ranks findings by reachable attack paths, not just CVSS. Free tier, five-minute setup, no credit card.