How does EchelonGraph detect CIS Kubernetes 5.7.3 violations?

EchelonGraph automatically detects CIS Kubernetes 5.7.3 violations using scanner rule K8S-PS-007. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

☸️CIS Kubernetes 5.7.3Rule: K8S-PS-007high

runAsNonRoot enforced

Description

Containers should run as non-root. The watcher counts containers per Pod and computes runasnonroot_count from securityContext.RunAsNonRoot at the Pod and container level.

⚠️ Risk Impact

Container processes running as root increase the blast radius of any container-escape CVE.

🔍 How EchelonGraph Detects This

K8S-PS-007Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Set securityContext.runAsNonRoot: true at Pod level and use a non-root UID in your container image.

🔗 Cross-Framework References

NIST-AC-6PCI-2.2

Automate CIS Kubernetes 5.7.3 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →