Add documentation for CIS Pod Security Standards compliance results

content/kubermatic/main/security/cis-benchmarking/kkp2.28-k8s1.33/_index.en.md

@@ -283,13 +283,41 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 ### 5.2. Pod Security Standards
 
+KKP applies Pod Security Admission (PSA) labels to user cluster namespaces to enforce security standards:
+
+**Privileged System Namespaces:**
+
+| Namespace | enforce | audit | warn | Description |
+|-----------|---------|-------|------|-------------|
+| kube-system | privileged | baseline | privileged | Kubernetes core components (CNI, CSI, node-local-dns) |
+| kube-public | privileged | baseline | privileged | Kubernetes public resources |
+| kube-node-lease | privileged | baseline | privileged | Node heartbeat leases |
+| cloud-init-settings | privileged | baseline | privileged | KKP cloud-init configuration |
+
+**Namespaces using baseline enforcement:**
+
+| Namespace | enforce | audit | warn | Description |
+|-----------|---------|-------|------|-------------|
+| default | baseline | baseline | baseline | User workloads |
+| kubernetes-dashboard | baseline | baseline | baseline | KKP dashboard service |
+
+{{% notice note %}}
+Privileged system namespaces contain components (CNI, CSI, node-local-dns) that need hostNetwork, hostPath volumes, and elevated capabilities to function. Baseline-enforced namespaces block dangerous pod configurations while allowing standard workloads.
+{{% /notice %}}
+
+To verify compliance for namespaces using baseline enforcement:
+
+```bash
+trivy k8s --include-namespaces default,kubernetes-dashboard --compliance=k8s-cis-1.23 --report summary
+```
+
 #### 5.2.2: Minimize the admission of privileged containers
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces (default, kubernetes-dashboard) block privileged containers. Privileged system namespaces need it for CNI (cilium), CSI drivers, and node-local-dns._
 
 ---
 
@@ -313,59 +341,59 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces block hostNetwork. Privileged system namespaces need hostNetwork for CNI (cilium) and node-local-dns._
 
 ---
 
 #### 5.2.6: Minimize the admission of containers with allowPrivilegeEscalation
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces (dashboard-metrics-scraper) set `allowPrivilegeEscalation: false`. Components in privileged system namespaces require privilege escalation._
 
 ---
 
 #### 5.2.7: Minimize the admission of root containers
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces set `runAsNonRoot: true` and run as non-root users. Components in privileged system namespaces run as root._
 
 ---
 
 #### 5.2.8: Minimize the admission of containers with the NET_RAW capability
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces drop NET_RAW. Components in privileged system namespaces (CNI) require this capability._
 
 ---
 
 #### 5.2.9: Minimize the admission of containers with added capabilities
 
 **Severity:** LOW
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces drop all capabilities with `capabilities.drop: ["ALL"]`. Components in privileged system namespaces require various capabilities._
 
 ---
 
 #### 5.2.10: Minimize the admission of containers with capabilities assigned
 
 **Severity:** LOW
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces drop all capabilities. Components in privileged system namespaces require various capabilities._
 
 ---
 
@@ -381,19 +409,19 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces do not use hostPath volumes. Components in privileged system namespaces (CNI, CSI) require hostPath for node-level operations._
 
 ---
 
 #### 5.2.13: Minimize the admission of containers which use HostPorts
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces do not use hostPorts. Components in privileged system namespaces require hostPorts._
 
 ---
 
@@ -465,9 +493,9 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces (default, kubernetes-dashboard) have security contexts applied with runAsNonRoot, allowPrivilegeEscalation: false, and capabilities dropped. Components in privileged system namespaces require elevated privileges._
 
 ---
 

content/kubermatic/v2.28/security/cis-benchmarking/kkp2.28-k8s1.33/_index.en.md

@@ -283,13 +283,41 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 ### 5.2. Pod Security Standards
 
+KKP applies Pod Security Admission (PSA) labels to user cluster namespaces to enforce security standards:
+
+**Privileged System Namespaces:**
+
+| Namespace | enforce | audit | warn | Description |
+|-----------|---------|-------|------|-------------|
+| kube-system | privileged | baseline | privileged | Kubernetes core components (CNI, CSI, node-local-dns) |
+| kube-public | privileged | baseline | privileged | Kubernetes public resources |
+| kube-node-lease | privileged | baseline | privileged | Node heartbeat leases |
+| cloud-init-settings | privileged | baseline | privileged | KKP cloud-init configuration |
+
+**Namespaces using baseline enforcement:**
+
+| Namespace | enforce | audit | warn | Description |
+|-----------|---------|-------|------|-------------|
+| default | baseline | baseline | baseline | User workloads |
+| kubernetes-dashboard | baseline | baseline | baseline | KKP dashboard service |
+
+{{% notice note %}}
+Privileged system namespaces contain components (CNI, CSI, node-local-dns) that need hostNetwork, hostPath volumes, and elevated capabilities to function. Baseline-enforced namespaces block dangerous pod configurations while allowing standard workloads.
+{{% /notice %}}
+
+To verify compliance for namespaces using baseline enforcement:
+
+```bash
+trivy k8s --include-namespaces default,kubernetes-dashboard --compliance=k8s-cis-1.23 --report summary
+```
+
 #### 5.2.2: Minimize the admission of privileged containers
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces (default, kubernetes-dashboard) block privileged containers. Privileged system namespaces need it for CNI (cilium), CSI drivers, and node-local-dns._
 
 ---
 
@@ -313,59 +341,59 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces block hostNetwork. Privileged system namespaces need hostNetwork for CNI (cilium) and node-local-dns._
 
 ---
 
 #### 5.2.6: Minimize the admission of containers with allowPrivilegeEscalation
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces set `allowPrivilegeEscalation: false`. Components in privileged system namespaces require privilege escalation._
 
 ---
 
 #### 5.2.7: Minimize the admission of root containers
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces set `runAsNonRoot: true` and run as non-root users. Components in privileged system namespaces run as root._
 
 ---
 
 #### 5.2.8: Minimize the admission of containers with the NET_RAW capability
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces drop NET_RAW. Components in privileged system namespaces (CNI) require this capability._
 
 ---
 
 #### 5.2.9: Minimize the admission of containers with added capabilities
 
 **Severity:** LOW
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces drop all capabilities with `capabilities.drop: ["ALL"]`. Components in privileged system namespaces require various capabilities._
 
 ---
 
 #### 5.2.10: Minimize the admission of containers with capabilities assigned
 
 **Severity:** LOW
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces drop all capabilities. Components in privileged system namespaces require various capabilities._
 
 ---
 
@@ -381,19 +409,19 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces do not use hostPath volumes. Components in privileged system namespaces (CNI, CSI) require hostPath for node-level operations._
 
 ---
 
 #### 5.2.13: Minimize the admission of containers which use HostPorts
 
 **Severity:** MEDIUM
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Baseline-enforced namespaces do not use hostPorts. Components in privileged system namespaces require hostPorts._
 
 ---
 
@@ -465,9 +493,9 @@ _The issue is under investigation to provide a fix in a future KKP release_
 
 **Severity:** HIGH
 
-**Result:** 🔴 Fail
+**Result:** 🔵 Pass (Baseline-Enforced Namespaces) / Expected Fail (Privileged System Namespaces)
 
-_The issue is under investigation to provide a fix in a future KKP release_
+_Workloads in baseline-enforced namespaces (default, kubernetes-dashboard) have security contexts applied with runAsNonRoot, allowPrivilegeEscalation: false, and capabilities dropped. Components in privileged system namespaces require elevated privileges._
 
 ---