Compliance Packs Overview
Styra manages security policies for cloud native and hybrid cloud infrastructure. For Kubernetes clusters, Styra can interoperate with the Kubernetes Admission Controller framework to enforce controls over all resource deployments. Styra also provides a library of compliance packs for users requiring complex compliance controls. Use the Manage Compliance Packs menu in each of your Kubernetes systems and stacks to enable and configure Kubernetes compliance packs.
For more information on the compliance packs available in each Styra DAS edition, see the Styra DAS Editions page.
Kubernetes Best Practices
The Styra Kubernetes Best Practices compliance pack includes policy library rules recommended by Styra based on industry best practices for Kubernetes admission control. Refer to the Kubernetes Policy Library Rules Best Practices compliance pack section for details of the rules mapped to best practices.
Styra DAS offers an out-of-the-box rule set to address the Center for Internet Security (CIS) Kubernetes Benchmarks. These recommendations include best practices such as cluster hardening, network management, permissions control and more. For more information on how Styra policy library rules map to each specific CIS benchmark, refer to the Kubernetes Policy Library Rules CIS Benchmarks compliance pack section.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) classifies and describes cyber attacks and includes tactics and techniques based on adversary objectives. The MITRE ATT&CK Enterprise Containers Matrix covers specific techniques against containers. Styra has mapped a set of admission control rules for Kubernetes to align with the cyber attack lifecycle described in the MITRE ATT&CK® Matrix for Enterprise covering container technologies. These policies are organized based on a ten-stage cyber attack lifecycle that describes the techniques that attackers could use to infiltrate, compromise, and steal data from within a Kubernetes cluster. Additional details on how Styra policy library rules map to MITRE ATT&CK Containers Matrix for Kubernetes, refer to the Kubernetes Policy Library Rules MITRE ATT&CK compliance pack section.
NIST Container Security
The National Institute of Standards and Technology (NIST) has a series of guidelines targeting container security posture. The Kubernetes NIST Container Security compliance pack includes rules which address the recommendations outlined in the NIST Special Publication (SP) 800-190 Application Container Security Guide. For more information on how Styra policy library rules map to each NIST recommendation, refer to the Kubernetes Policy Library Rules NIST Container Security compliance pack section.
PCI DSS v3.2
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities involved in payment card processing — including merchants, processors, acquirers, issuers, service providers, as well as other organizations which store, process, or transmit cardholder and sensitive data. This regulation requires specific and stringent oversight of all aspects of an entity's computing infrastructure, human and automated processes, and operating and reporting environments. Styra DAS provides specific control examples of Rego policy that can be used to manage Kubernetes resources subject to PCI DSS v3.2. For more information on how Styra policy library rules map to each specific PCI DSS requirement, refer to the Kubernetes Policy Library Rules PCI DSS v3.2 compliance pack section and the whitepaper How Styra Maps to PCI Data Security Standard v3.2.
Styra DAS includes two compliance packs for customers looking to meet pod security requirements: Pod Security Policy and Pod Security v2.
Pod Security Policy
Kubernetes Pod Security Policies (PSPs) enabled developers to enforce run-time permissions for a container and permit actions on the kernel. This feature has been deprecated by Kubernetes as of Kubernetes v1.25 and replaced with Pod Security Admission. For customers looking for a 1:1 replacement of Kubernetes PSPs, Styra DAS offers the Pod Security Policy compliance pack. For more information on how Styra policy library rules map to Kubernetes PSP policies, refer to the Kubernetes Policy Library Rules Pod Security Policies compliance pack section.
Pod Security v2
Kubernetes introduced Pod Security Standards (PSS) and Pod Security Admission (PSA) in v1.22 as a replacement for Pod Security Policy (PSP). For customers looking to meet and exceed the Baseline and Restricted profiles defined in Kubernetes PSS, Styra DAS offers the Pod Security v2 compliance pack. For more information on how Styra policy library rules map to Kubernetes PSS profiles, refer to the Kubernetes Policy Library Rules Pod Security v2 compliance pack section.