Risk Severity is a metric that represents the risk of security vulnerability for your Kubernetes workload. It uses the Kubernetes Common Configuration Scoring System (KCCSS), which is a framework for rating security risks associated with misconfigurations.

Note: The risk rating for Kubernetes workloads is different than the risk severity for container image vulnerabilities because they are evaluated using different scales. For more information about container image risk scores, see Risk Evaluation for Container Images.

Kubernetes Common Configuration Scoring System

KCCSS scores both risks and remediations as separate rules. It calculates risk for every runtime setting of a workload and then the total risk of the workload. For each workload, a risk score ranging from 0 (no risk) to 10 (high risk) is assigned.

Measures of Risk

KCCSS shows the potential impact of risky configuration settings in three areas:

Confidentiality
Exposure of Personal Identifiable Information (PII), potential access to keys, and so on.
Integrity
Unwanted changes to the container, host, or cluster; for example, being able to change the runtime behavior, launch new processes, new pods, and so on.
Availability
Exhaustion of resources, denial of service, and so on.

KCCSS accounts for whether the risk is limited to the container or impacts the entire cluster, the ease of exploiting the risk, and whether an attack requires local access. It combines all security risks associated with a workload together with the required remediations to attribute an overall risk score to the workload.

Risk Score

The scoring system takes into account over 30 security settings for Kubernetes configurations. The exact rules and scoring formula are part of KCCSS. Based on the score, workloads are filtered by the level of severity: high, medium, or low. The higher the risk score, the higher is the severity. Every workload is assigned a risk score of between 0 (low risk) and 10 (high risk).

Score Range Severity
0 - 3 Low
4 - 6 Medium
7 - 10 High