How does EchelonGraph detect CIS Kubernetes 5.2.2 violations?

EchelonGraph automatically detects CIS Kubernetes 5.2.2 violations using scanner rule K8S-PS-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS Kubernetes 5.2.2?

Any pods with hostProcess? Justified? PSS enforcement at Baseline level?

☸️CIS Kubernetes 5.2.2Rule: K8S-PS-002high

Restrict hostProcess

Description

Pods should not set hostProcess: true (Windows-specific privilege escalation).

⚠️ Risk Impact

hostProcess pods run with Windows host privileges, bypassing pod isolation entirely.

🔍 How EchelonGraph Detects This

K8S-PS-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Remove hostProcess flag. Enforce via Pod Security admission (Baseline level prevents).

💀 Real-World Attack Scenario

A Windows K8s cluster ran a 'monitoring agent' with hostProcess:true. Compromised agent had full Windows host access — including ability to install rootkits + extract LSASS secrets.

💰 Cost of Non-Compliance

hostProcess pods are rare; when exploited, full host compromise.

📋 Audit Questions

1.Any pods with hostProcess?
2.Justified?
3.PSS enforcement at Baseline level?

🎯 MITRE ATT&CK Mapping

T1068 — Exploitation for Privilege Escalation

⚡ Common Pitfalls

⛔Windows admin tools using hostProcess for convenience

📈 Business Value

Eliminating hostProcess closes a Windows-specific privilege escalation.

⏱️ Effort Estimate

Manual

Audit + remediate

With EchelonGraph

EchelonGraph enforces via PSS

Automate CIS Kubernetes 5.2.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →