Risk Severity is a metric that represents the risk of security vulnerability for your Kubernetes workload. It uses the Kubernetes Common Configuration Scoring System (KCCSS), which is a framework for rating security risks associated with misconfigurations.
Kubernetes Common Configuration Scoring System
KCCSS scores both risks and remediations as separate rules. It calculates risk for every runtime setting of a workload and then the total risk of the workload. For each workload, a risk score ranging from 0 (no risk) to 10 (high risk) is assigned.
Measures of Risk
KCCSS shows the potential impact of risky configuration settings in three areas:
- Confidentiality
- Exposure of Personal Identifiable Information (PII), potential access to keys, and so on.
- Integrity
- Unwanted changes to the container, host, or cluster; for example, being able to change the runtime behavior, launch new processes, new pods, and so on.
- Availability
- Exhaustion of resources, denial of service, and so on.
KCCSS accounts for whether the risk is limited to the container or impacts the entire cluster, the ease of exploiting the risk, and whether an attack requires local access. It combines all security risks associated with a workload together with the required remediations to attribute an overall risk score to the workload.
Risk Score
The scoring system takes into account over 30 security settings for Kubernetes configurations. The exact rules and scoring formula are part of KCCSS. Based on the score, workloads are filtered by the level of severity: high, medium, or low. The higher the risk score, the higher is the severity. Every workload is assigned a risk score of between 0 (low risk) and 10 (high risk).
| Score Range | Severity |
|---|---|
| 0 - 3 | Low |
| 4 - 6 | Medium |
| 7 - 10 | High |
