In today’s cloud-native ecosystems, effective configuration security is essential. Containers and Kubernetes clusters operate in dynamic environments with multiple interconnected risk vectors, making security more complex than in traditional IT environments. Misconfigurations can lead to vulnerabilities, breaches, and compliance issues, putting applications and data at risk.
This blog post examines how Calico’s configuration security features, specifically designed for Kubernetes, help organizations overcome these challenges while building secure, compliant, and robust Kubernetes environments.
Understanding Configuration Security Risks
Configuration security is vital for any organization operating in a cloud-native environment. The risks are multifaceted and stem from a variety of factors that include:
- Exposed Endpoints and Insecure APIs: Kubernetes clusters often expose various APIs and endpoints, and if these are misconfigured or lack proper access controls, they can become entry points for attackers.
- Pod Security: Kubernetes allows fine-grained control over what resources a pod can access and what actions it can perform. Misconfiguring security contexts, such as allowing containers to run as root or without resource limits, can expose the cluster to container escape vulnerabilities, privilege escalation, and denial-of-service attacks.
- Audit Logging and Monitoring: Proper configuration of logging and monitoring tools is essential for detecting and responding to security incidents. Without sufficient logging, it can be challenging to identify unauthorized access or investigate incidents, delaying incident response and recovery.
Organizations need an approach that can integrate seamlessly with their Kubernetes environments, providing continuous configuration checks, prioritizing risks, and offering remediation guidance.
Calico offers configuration security capabilities that address these complex requirements. Built on the powerful open source Kubescape engine, Calico is specifically tailored for Kubernetes, offering powerful controls and frameworks for risk detection, compliance, automated mitigation, and remediation.
Comprehensive Kubernetes Security Controls in Calico
At the core of configuration security are controls that Calico enforces through the Kubescape engine, which provides hundreds of specialized controls for auditing the configuration of your Kubernetes environment.
A control is essentially a rule or a set of rules that checks specific configuration settings. Here’s an example to illustrate:
Ensure that the Kubelet is configured to rotate certificates
- Control ID: 4.2.15 (from CIS Kubernetes Benchmark)
- Control Name: Kubelet Certificate Rotation Configuration
- Severity: Medium
- Description: This control verifies whether the Kubernetes Kubelet is configured to automatically rotate its client certificates. Certificate rotation ensures that Kubernetes components are not using expired or outdated certificates, which could potentially compromise cluster security.
- Audit Procedure: Kubescape can automatically check if the
RotateKubeletClientCertificatefeature is enabled in the Kubelet configuration. It looks for the presence and value of the--rotate-certificatesflag in the Kubelet configuration file (usually located in/var/lib/kubelet/config.yamlor set as a flag when starting Kubelet). The control checks if--rotate-certificatesis set totrue.
This control also includes remediation steps if the configuration check fails. Each control has a unique identification number and a reference to the relevant security benchmark or framework that was used—like the CIS Kubernetes Benchmark in this case. Kubescape controls also feature a severity rating (high, medium, or low), which allows you to prioritize remediation based on risk level.
By leveraging the purpose-built Kubescape engine, Calico offers hundreds of targeted controls that align with major security benchmarks and compliance standards, including the CIS (Center for Internet Security) Kubernetes Benchmark. This alignment helps organizations meet compliance requirements efficiently. Additionally, Kubescape supports security frameworks for cloud providers like Amazon EKS, Google GKE, and Microsoft AKS, enabling standardized security practices across hybrid and multi-cloud environments.
Customizable Frameworks
Customizable frameworks in configuration security are essential because they allow organizations to tailor security policies to their unique operational needs, industry compliance requirements, and risk tolerance. By adapting frameworks to different environments—such as multi-cloud, hybrid, and specific development stages—teams can focus on high-risk areas relevant to their setup, streamline audits, and quickly evolve controls to address emerging threats.
In Calico, customization is simplified with the Policy Library, which contains Kubescape’s prebuilt controls. Users can select a prebuilt framework, make a copy, and then tailor it by adding or removing controls as needed. This flexibility enables teams to adapt the framework precisely to their requirements.
Calico’s customizable framework options allow you to support use cases like:
- Focused Compliance Checks: For targeted compliance issues, create a custom policy that includes only the necessary controls to address specific regulatory requirements or operational risks.
- Removing Non-Applicable Controls: If certain rules in a standard framework (e.g., the CIS Kubernetes Benchmark) don’t apply to your environment, you can clone the framework, remove irrelevant controls, and potentially add controls that better suit your environment.
Customizable frameworks offer maximum flexibility, supporting efficient workflows that reduce your risk profile and streamline auditing processes, ensuring security policies evolve alongside your infrastructure.
Configuration Security and Compliance Reporting
Configuration security serves several complementary purposes, including hardening, continuous monitoring, and ensuring compliance. To address these different use cases, Calico offers a variety of report types, such as:
- Kubescape Framework Reports: Find and remediate misconfigurations in your infrastructure using a variety of pre-built Kubescape reports
- Customizable Framework Reports: Find and remediate misconfigurations using custom frameworks
- Inventory Report: Contains the details (protection status, policies) of namespaces, services and endpoints configured with policy protection, and more.
- Network Access Report: Continuously reports on the network statistics (egress, ingress, mTLS, policies) for endpoints.
- Policy Audit Report: Contains policy statistics (policy list and changes) on in-scope assets.

The reports are available in the Calico UI, but all of them can also be exported either to JSON or YAML formats for maximum flexibility that allow you to easily import data into other systems, like a compliance reporting system. Calico also supports reports on demand or on a recurring schedule, allowing for easy automation with other security tools.

Remediation Workflows
Effective remediation workflows are essential for managing configuration security efficiently. Calico provides tools to streamline the remediation process, including the ability to generate Jira tickets with scan results and assign them for resolution. These tickets automatically include relevant configuration security details, enabling developers to address issues quickly and systematically, significantly enhancing the efficiency of remediation efforts.

Calico’s integration with Kubernetes network policies allows for efficient and seamless mitigation using network policies. For instance, you can quickly create quarantine policies to isolate a vulnerable pod or node by blocking all incoming and outgoing traffic. If a pod has a critical configuration security issue, you can quarantine it within seconds, and safely address the issue. Once resolved, the quarantine policy can be easily removed to restore normal traffic flow.

Comprehensive Inventory
Calico utilizes Kubernetes’s comprehensive inventory of all containers and nodes within a cluster to deliver complete visibility across deployments. With this full asset inventory, no components are missed, eliminating the need to search for hidden or overlooked assets. Additionally, Calico’s ability to display all connections between nodes and pods within a Kubernetes cluster provides valuable context, making it easier to identify and address critical misconfiguration risks across the environment.

Prioritization and Insights
Beyond detection flexibility, a vital aspect of configuration security is strong prioritization. Calico’s network security capabilities allow it to calculate the exact communication paths for every node and pod in a Kubernetes cluster, offering a detailed view of potential risks based on network policy and configurations. This enables Calico to provide enhanced configuration security prioritization based on actual environmental exposure.
Calico also provides a “Cluster Security Score,” offering a centralized view of the cluster’s security status with recommendations to improve this score. This includes insights into configuration issues (misconfigurations), vulnerabilities, egress access security, namespace isolation, and more. The score allows teams to quickly understand whether security is trending positively or negatively, with actionable recommendations to enhance the security posture.

Summary
Calico’s configuration security enhances visibility, compliance, and risk management in containerized environments. Leveraging the powerful open source Kubescape engine, Calico provides hundreds of industry-aligned security controls for Kubernetes, enabling organizations to adapt frameworks to their unique needs. Its robust reporting options support compliance and continuous monitoring, with seamless export capabilities for integration into other systems. With JIRA integration for streamlined remediation and prioritization tools like a Cluster Security Score, Calico helps teams efficiently address high-risk configuration security issues and strengthen their Kubernetes security posture.
Note: Several of the features mentioned in this Blog will be available soon in Q1 2025 when our transition to the new Kubescape engine will be completed.
Want to learn more about Calico Configuration Security? Schedule a demo.
