The Kubernetes Common Configuration Scoring System (KCCSS) is an open source framework that rates the risk associated with Kubernetes workloads. KCCSS allows you to calculate a risk from 0 (no risk) to 10 (high risk) for every runtime setting of workloads, then used to calculate the global risk of the workloads, taking into consideration the risks and remediations put in place.
KCCSS was inspired by the Common Vulnerability Scoring System (CVSS), the standard to rate the impact and risks associated with software vulnerabilities, the Common Configuration System (CCSS) and the Common Configuration Enumeration (CCE). The description and scoring of individual risk is very close to CVSS. KCCSS should feel very familiar to users of CVSS.
The scoring formula as well as the risk and remediations rules are open-source and available on KCCSS GitHub. The list of rules can be easily expanded to include vendor-specific remediations, risks and remediations for different Kubernetes distributions or cloud providers, risks and remediations of additional tools installed (Service Mesh, Helm server, etc.).
We want to build a community around KCCSS and encourage any kind of contribution: review of existing rules, new rules, better formula, etc. Visit KCCSS on GitHub to learn more about the open source project and how to contribute.