How does EchelonGraph detect CIS Kubernetes 5.2.10 violations?

EchelonGraph automatically detects CIS Kubernetes 5.2.10 violations using scanner rule K8S-PS-010. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Kubernetes 5.2.10?

Drop-ALL pattern applied? Capabilities allowlist? PSS Restricted enforced?

☸️CIS Kubernetes 5.2.10Rule: K8S-PS-010high

Drop ALL capabilities

Description

Containers should drop ALL Linux capabilities and re-add only what's needed.

⚠️ Risk Impact

Default Linux capabilities (~14 in K8s) include CAP_NET_RAW, CAP_SETUID, CAP_KILL. Each is an attack surface. Drop-ALL + re-add is the secure pattern.

🔍 How EchelonGraph Detects This

K8S-PS-010Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

capabilities.drop:["ALL"] in container spec. Re-add only specific caps if required (typically only NET_BIND_SERVICE for low ports).

💀 Real-World Attack Scenario

A compromised container retained default capabilities including CAP_SETUID. Attacker used setuid to escalate to root within container (despite runAsUser non-root setting).

💰 Cost of Non-Compliance

Capability-related escalation: contributes to container-escape risk.

📋 Audit Questions

1.Drop-ALL pattern applied?
2.Capabilities allowlist?
3.PSS Restricted enforced?

🎯 MITRE ATT&CK Mapping

T1068 — Exploitation for Privilege Escalation

⚡ Common Pitfalls

⛔Drop specific caps only — others remain
⛔No PSS enforcement

📈 Business Value

Drop-ALL is the strongest capability reduction pattern.

⏱️ Effort Estimate

Manual

Per-container

With EchelonGraph

EchelonGraph enforces via PSS Restricted

🔗 Cross-Framework References

NIST-AC-6

Automate CIS Kubernetes 5.2.10 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →