SOC 2 and Continuous Compliance Monitoring

2 min read Infrastructure & DevOps Security

SOC 2 and Continuous Compliance Monitoring

Service Organization Control 2 (SOC 2) focuses on security, availability, processing integrity, confidentiality, and privacy. Unlike checklist-based compliance frameworks, SOC 2 requires demonstrating effective controls over time. Kubernetes environments must implement continuous monitoring and evidence collection for SOC 2 audits.

Control monitoring in Kubernetes leverages native capabilities and additional tooling. Admission webhooks enforce security policies and log violations. Continuous compliance scanners assess configurations against benchmarks. These automated controls provide real-time evidence of control effectiveness required for SOC 2 Type II reports.

# Continuous compliance monitoring with Polaris
apiVersion: v1
kind: ConfigMap
metadata:
  name: polaris-config
  namespace: polaris
data:
  config.yaml: |
    checks:
      # Security checks aligned with SOC 2
      hostIPCSet: danger
      hostPIDSet: danger
      hostNetworkSet: danger
      
      runAsRootAllowed: danger
      runAsPrivileged: danger
      notReadOnlyRootFilesystem: warning
      
      cpuRequestsMissing: warning
      cpuLimitsMissing: warning
      memoryRequestsMissing: warning
      memoryLimitsMissing: warning
      
      # Availability checks
      deploymentMissingReplicas: warning
      priorityClassNotSet: warning
      
      # Additional custom checks
      tagNotSpecified: danger
      pullPolicyNotAlways: warning
      
    exemptions:
      - namespace: kube-system
        controllerNames:
        - kube-apiserver
        - kube-controller-manager
        - kube-scheduler
        rules:
        - hostNetworkSet
        - runAsRootAllowed

---
# Automated compliance reporting
apiVersion: batch/v1
kind: CronJob
metadata:
  name: compliance-reporter
  namespace: compliance
spec:
  schedule: "0 8 * * 1"  # Weekly on Mondays at 8 AM
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: compliance-scanner
          containers:
          - name: scanner
            image: aquasec/kube-bench:latest
            command:
            - sh
            - -c
            - |
              # Run CIS benchmark scan
              kube-bench run --targets=master,node,etcd,policies \
                --output=/reports/cis-benchmark-$(date +%Y%m%d).json \
                --outputformat=json
              
              # Run custom SOC 2 checks
              kubectl get all -A -o json > /reports/resource-inventory-$(date +%Y%m%d).json
              
              # Check pod security standards compliance
              kubectl get namespaces -o json | \
                jq -r '.items[].metadata.name' | \
                while read ns; do
                  kubectl label --dry-run=server --overwrite \
                    namespace $ns \
                    pod-security.kubernetes.io/enforce=restricted \
                    2>&1 | tee -a /reports/pss-compliance-$(date +%Y%m%d).log
                done
              
              # Upload reports to S3
              aws s3 cp /reports/ s3://compliance-reports/kubernetes/$(date +%Y%m%d)/ --recursive
          restartPolicy: OnFailure
          volumes:
          - name: reports
            emptyDir: {}