# Activating the module KSPM

{% note info %}

This feature is at the [Preview](../../../overview/concepts/launch-stages.md) stage.

{% endnote %}

KSPM allows you to flexibly select and customize security rules to meet your organization's specific requirements and create exceptions from the rules.

## Getting started {#before-you-begin}

Before onboarding clusters to KSPM, make sure they meet the following requirements:

* Kubernetes 1.30 or higher.
* There is no [Kyverno](https://yandex.cloud/en/marketplace/products/yc/kyverno)-based [admission control](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) in the Kubernetes cluster. If Kyverno was previously deployed, remove it along with all [CustomResourceDefinition](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/) resources it has created.
* Networking must be set up between the Kubernetes cluster nodes and [Yandex Container Registry](../../../managed-kubernetes/tutorials/container-registry.md).
* Network access must be allowed on port `54321` from the pod running a runtime security monitoring sensor to the cluster pods.
* TCP access from the cluster to the KSPM API (`kspm.api.cloud.yandex.net`) must be allowed on port `443`.
* [Security groups](../../../managed-kubernetes/operations/connect/security-groups.md#rules-nodes) must allow access from the cluster’s master node to KSPM components running on the cluster nodes.

## Activating the module {#kspm-activate}

To get started with KSPM:
1. [Create](../../../iam/operations/sa/create.md) a service account KSPM will use to view Managed Service for Kubernetes [cluster](../../../managed-kubernetes/concepts/index.md#kubernetes-cluster) info, install the necessary components, and perform checks.
1. [Assign](../../../iam/operations/sa/assign-role-for-sa.md) to the service account the `security-deck.worker` [role](../../security/index.md#security-deck-worker) for the organization, cloud, or folder.

    {% note info %}

    KSPM will only have access to the Managed Service for Kubernetes clusters residing in the corresponding organization, cloud, or folder.

    {% endnote %}

    If you have assigned the role for a particular folder, the service account will also need the `auditor` role for the cloud.

1. [Create](../workspaces/create.md) a Security Deck workspace configured as follows:

    * In the connector settings under **Resources**:
      * Select the service account you created earlier.
      * Specify the clouds and folders you want to control the security of Managed Service for Kubernetes clusters in.

        {% note tip %}

        Later on you will be able to further narrow the scope of control in the KSPM settings.

        {% endnote %}

    * Under **Control modules**, select the industry standards and regulations the resources you chose at the previous step will be benchmarked against.
      
      * ![cspm-standard-k8s-restricted](../../../_assets/security-deck/cspm-standard-k8s-restricted.svg) Kubernetes Pod Security Standards (Restricted): This standard contains security controls based on the [Kubernetes Pod Security Standards (PSS) Restricted profile](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). A restricted profile is the most secure and provides the highest detection efficiency for container-based attacks. It applies strict security policies that may require modifying applications to ensure compliance. A restricted profile is recommended for security-critical applications and environments where maximum security is required.
      * ![cspm-standard-k8s-baseline](../../../_assets/security-deck/cspm-standard-k8s-baseline.svg) Kubernetes Pod Security Standards (Baseline): This standard contains security controls based on the [Kubernetes Pod Security Standards (PSS) Baseline profile](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline). A baseline profile is designed for easy implementation and provides common best practices for container security. It prevents the most common security issues in containers while maintaining compatibility with most applications. The baseline profile is a good starting point for organizations just getting started with container security.
      * ![cspm-standard-k8s-ms](../../../_assets/security-deck/cspm-standard-k8s-ms.svg) Microsoft Threat Matrix for Kubernetes: This standard contains security controls based on the [Microsoft Threat Matrix for Kubernetes](https://www.microsoft.com/en-us/security/blog/2020/04/02/attack-matrix-kubernetes/), which is a framework that helps security teams understand and fend off threats specific to Kubernetes environments. It provides a comprehensive approach to attack methods and defensive strategies tailored for container orchestration platforms.
      * ![cspm-cis-k8s-standard](../../../_assets/security-deck/cspm-cis-k8s-standard.svg) CIS Kubernetes Benchmark: This standard contains [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes) recommendations for secure configuration of components on Kubernetes worker nodes. It includes only the automated checks from the `4 Worker Nodes` section.

      You can select several standards at the same time. The **Control modules** section will display the Security Deck modules, which will be activated in the new workspace to check your resources for compliance with the selected standards and regulations.
1. Complete the KSPM setup:
    1. Click ![image](../../../_assets/console-icons/wrench.svg) **Workspace parameters** on the new workspace page.
    1. Navigate to the **KSPM** tab.
    1. Under **Scope of control**, select the clouds, folders, or clusters within the workspace resources where compliance with the Kubernetes security rules will be enforced.

        {% note warning %}

        A cluster can only belong to one Security Deck workspace. Otherwise, there will be conflicts.

        {% endnote %}

    1. Click **Save** and confirm the action.

        Once you do that, the necessary components will be automatically installed in the `yc-security` namespace in the Managed Service for Kubernetes clusters that are within the scope of control.

        Depending on cluster size, component installation may take from 1 to 10 minutes.

{% note tip %}

To remove clusters from the control scope and to stop monitoring them for security, [delete](../workspaces/delete.md) the Security Deck workspace or disable the Kubernetes security standards.

{% endnote %}