How does EchelonGraph detect Pod Security Standards PSS-Baseline violations?

EchelonGraph automatically detects Pod Security Standards PSS-Baseline violations using scanner rule PSS-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

🔒Pod Security Standards PSS-BaselineRule: PSS-002high

Baseline (minimally restrictive)

Description

Prevents known privilege escalations: no privileged, no hostNetwork, no hostPID, no hostIPC. EchelonGraph aggregates Pod posture flags (priv_count, host_network, host_pid) to verify cluster-wide Baseline compliance.

⚠️ Risk Impact

Without Baseline enforcement, even one mis-deployed Pod with hostNetwork breaks the namespace's isolation guarantees.

🔍 How EchelonGraph Detects This

PSS-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

kubectl label ns <ns> pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/enforce-version=v1.29

🔗 Cross-Framework References

CIS-K8S-5.2.1CIS-K8S-5.2.4CIS-K8S-5.2.5

Automate Pod Security Standards PSS-Baseline compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →