KSPM module
The KSPM page lists every Kubernetes-specific finding across every connected cluster.
Columns
| Column | Notes |
|---|---|
| Severity | CRITICAL / HIGH / MEDIUM / LOW. |
| Status | OPEN / IGNORED / RESOLVED. |
| Rule | The KSPM rule name. |
| Kind | Deployment, StatefulSet, Pod, ServiceAccount, etc. |
| Resource name | Workload name. |
| Namespace | Kubernetes namespace. |
| Cluster | Stable cluster ID. |
Filters
- Severity, Status.
- Cluster, when you have multiple connected.
- Namespace, to scope to one team or app.
- Kind, to focus on Pods vs Deployments vs RBAC objects.
- Category, the rule grouping (Pod Security, RBAC, Network, etc.).
Common rule categories
| Category | Examples |
|---|---|
| Pod Security | K8S-PRIVILEGED, K8S-RUN-AS-ROOT, K8S-HOST-NETWORK, K8S-HOST-PID |
| RBAC | K8S-WILDCARD-VERB, K8S-DEFAULT-SA-CLUSTER-ADMIN |
| Network | K8S-NO-NETWORK-POLICY, K8S-DASHBOARD-EXPOSED |
| Resource limits | K8S-NO-LIMITS, K8S-NO-REQUESTS |
| API server | K8S-API-PUBLIC, K8S-ANON-AUTH |
| Image hygiene | K8S-IMAGE-LATEST, K8S-IMAGE-UNSIGNED |
Detail panel
For each finding the panel shows:
- The full path to the offending object:
cluster_id / namespace / kind / name. - The exact spec excerpt that violates the rule (e.g.
securityContext.privileged: true). - Remediation, shown as the fix you can apply with kubectl or a PR to your manifests.
- Cluster context: cloud provider, region, version, public/private endpoint.
Tips
- Filter cluster + severity = CRITICAL for the prioritised view per cluster.
- Group by namespace when triaging a multi-tenant cluster, each app team gets their block.
- Cross-reference with IaC. Every KSPM finding has a sibling IaC rule that catches the same issue at PR time. Once you triage a few, push the work upstream into PR checks.
What's next
- KSPM concept
- Connect a Kubernetes cluster
- IaC scanning, the upstream sibling