* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Detection and Response](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/)
* Kubernetes: A Practitione...

# Kubernetes: A Practitioner's Guide to KSPM

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-a-practitioners-guide-to-kspm%2F)  
[](https://twitter.com/share?text=Kubernetes%3A+A+Practitioner%E2%80%99s+Guide+to+KSPM&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-a-practitioners-guide-to-kspm%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-a-practitioners-guide-to-kspm%2F&title=Kubernetes%3A+A+Practitioner%E2%80%99s+Guide+to+KSPM&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/&ts=markdown)  
\[\](mailto:?subject=Kubernetes: A Practitioner’s Guide to KSPM)  
Link copied  
By [Mohit Bhasin](https://www.paloaltonetworks.com/blog/author/mohit-bhasin/?ts=markdown "Posts by Mohit Bhasin") and [Noam Shterman](https://www.paloaltonetworks.com/blog/author/noam-shterman/?ts=markdown "Posts by Noam Shterman")  
Jun 10, 2025  
5 minutes  
[Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)  
[Container Security](https://www.paloaltonetworks.com/blog/tag/container-security/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)

Kubernetes doesn't just orchestrate containers --- it orchestrates complexity.

Security practitioners defending sprawling, multitenant environments can't rely on surface-level dashboards or vague configuration alerts. They need a prioritized view of their Kubernetes security posture --- one that moves beyond checklists and supports meaningful decisions.

That's where [Kubernetes security posture management (KSPM)](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm) comes in. Cortex Cloud introduces KSPM to help teams secure Kubernetes environments with industry-leading real-time protection, delivered by the only Code to Cloud to SOC security platform.

Cortex Cloud's KSPM detects and remediates misconfigurations, vulnerabilities, malware and secrets across the [software development lifecycle](https://www.paloaltonetworks.com/cyberpedia/sdlc-software-development-lifecycle). With real-time protection enabled by a lightweight Kubernetes connector or cloud-based XDR agent, teams can stop threats before they escalate in production and secure workloads from code to cloud to SOC.

Today's blog post looks at [Cortex Cloud's KSPM](https://www.paloaltonetworks.com/cortex/cloud/container-security) capabilities, real-world workflows and best practices.

## Know Your Inventory: Kubernetes Asset Visibility

Security begins with understanding your attack surface. In Kubernetes, that means full visibility into clusters, namespaces, nodes, workloads and the controllers that manage them.

Cortex Cloud's KSPM Dashboard provides a live, interactive asset map across all clouds, enriched by agentless scanning and Kubernetes-native connectors. The dashboard invites deep exploration. Click the cluster count to see a breakdown of assets by platform --- EKS, GKE, AKS, OpenShift. Hover over workloads to reveal ReplicaSets, DaemonSets, CronJobs and other components.

Every element is clickable, linking directly to a filtered asset inventory page. The ability to pivot from a broad overview to granular details in one click shortens the path from signal to insight, enabling teams to address asset sprawl, which can otherwise undermine Kubernetes environments.
![KSPM Dashboard showing live Kubernetes asset inventory with clickable resource views across clusters, namespaces and workloadsomputerAI-generated content may be incorrect.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/a-screenshot-of-a-computer-ai-generated-content-m.png)
Figure 1: KSPM Dashboard showing live Kubernetes asset inventory with clickable resource views across clusters, namespaces and workloads ![Riskiest Clusters widget ranking clusters by weighted scores across malware, compliance, vulnerabilities and exposed secrets](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/a-screen-shot-of-a-computer-ai-generated-content.png)
Figure 2: Riskiest Clusters widget ranking clusters by weighted scores across malware, compliance, vulnerabilities and exposed secrets

## Kubernetes Security Insights

Security insights matter most when they're prioritized, contextualized and actionable. The KSPM Dashboard aggregates findings across domains --- including compliance, vulnerabilities, secrets and malware --- to surface what deserves attention.

### 1. Riskiest Clusters

The Riskiest Clusters widget ranks clusters by a weighted risk score that factors in malware detections, compliance violations, vulnerability density and the presence of secrets. External exposure pushes a cluster to the top of the list. It's a focused way to direct attention to what matters most.

Clicking a cluster opens its side card, complete with scores, issues and affected resources.

### 2. Top Clusters by Vulnerabilities

Not every CVE requires a response but clusters overloaded with critical and high-severity CVSS scores demand immediate review. Clicking a cluster opens a side panel with asset ID, cloud region, tags, asset group and associated findings. Use "Resource Explorer" to access a full inventory of affected assets, sorted and ready for triage.

### 3. Secrets Detected in Clusters

Leaked secrets break trust, and this widget helps teams find them before anyone else does by categorizing and counting secrets. Clicking a secret type reveals the implicated clusters harboring plaintext, hard-coded credentials and/or misconfigured encryption keys.

### 4. Malware Detected

Clusters compromised by known malware appear in a sorted view based on malware volume. Side cards show affected assets and provide guidance for response. When malware hits, speed matters. Cortex Cloud helps cut through noise and move fast to containment.

## Built for Security Team Workflows

KSPM isn't just powerful because of what it shows --- it's how teams use it. Investigation doesn't require jumping between tools. Each widget supports intuitive workflows: side-card previews for single assets, detailed list views for asset groups and direct action links for fast response.

To narrow the focus by cloud account or asset group, apply a single filter and watch the entire view update. Settings are persistent --- preferences stay in place across sessions.

The dashboard is export-ready. Whether preparing for a report or an audit, the data's ready to go. Role-based access control (RBAC) is enforced throughout the dashboard interface. Only users with edit rights see control options.

## KSPM Best Practices for Practitioners

### Integrate KSPM into a Container Security Strategy

Use KSPM as part of a broader container security approach to ensure full coverage across the container lifecycle --- from code to cloud. This integration helps identify and mitigate risks at each stage, including code, build, deploy, and runtime.

### Continuously Monitor Your Kubernetes Environment

Monitor clusters using agentless scanning, the lightweight Kubernetes connector and the Cortex XDR^®^ agent for cloud. These tools provide real-time visibility into misconfigurations, vulnerabilities, secrets, malware and compliance issues. Continuous assessments support proactive remediation and preserve a strong security posture.

### Maintain Up-to-Date KSPM Rules and Policies

Keep KSPM rules and policies current to enforce compliance and identify posture violations. Set up guardrails to block deployments that violate cloud workload policies. Regular updates ensure your environment stays aligned with the latest protections.

### Prioritize Risks Identified by KSPM Scans

Focus on the riskiest clusters first --- those with critical vulnerabilities, malware, exposed secrets or misconfigurations. Prioritization drives efficient use of resources and strengthens cluster defenses.

### Implement Role-Based Access Control

Apply RBAC to enforce least privilege across your Kubernetes environment. Access controls reduce the risk of unauthorized activity and limit attack surfaces.

## Operationalizing KSPM with Cortex Cloud

Kubernetes security posture management isn't a set-it-and-forget-it task. It's an ongoing discipline of monitoring environments, enforcing policy and auditing configurations.

Cortex Cloud's KSPM capabilities strengthen Kubernetes security by surfacing what matters and giving practitioners the tools to act with speed and precision.

We enable DevOps, platform engineering and security teams to drive security outcomes --- without slowing innovation.

But why take our word for it when you can [sign up for a free trial](https://start.paloaltonetworks.com/cortex-cloud-runtime-security-demo) and experience Cortex Cloud KSPM first-hand.

*** ** * ** ***

## Related Blogs

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Anatomy of a Kubernetes Attack: How Cortex Cloud Provides End-to-End Protection](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-attack-detection-response/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Prisma Cloud Supports Arm Workloads on Google Cloud and GKE](https://www2.paloaltonetworks.com/blog/cloud-security/supports-arm-workloads-on-google-cloud-and-gke/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Prisma Cloud Delivers Advanced Web Application Security Insights to Secure Hosts, Containers, and Serverless Applications](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-workload-protection/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Prisma Cloud Container Security with GKE Autopilot](https://www2.paloaltonetworks.com/blog/cloud-security/gke-autopilot/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Unit 42 Discovers First Known Malware Targeting Windows Containers](https://www2.paloaltonetworks.com/blog/2021/06/siloscape-malware-windows-containers/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Boost Your Container Security with Kubernetes Cluster Awareness](https://www2.paloaltonetworks.com/blog/cloud-security/container-security-kubernetes-cluster-awareness/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language