← Back to Enterprise
Compliance
Control mapping for regulated environments
Disclaimer: Baker Street is an open-source platform. These mappings show how Baker Street capabilities map to common compliance frameworks. This is informational; not legal advice. Actual compliance depends on your deployment configuration and organizational controls.
SOC 2 Trust Services Criteria
| Control | Description | Baker Street Capability |
|---|---|---|
| CC6.1 | Logical access security | RBAC-scoped agent permissions, namespace isolation, and allowlisted command sets help implement logical access controls |
| CC6.6 | System boundary protection | Default-deny NetworkPolicies and namespace separation support system boundary enforcement between agents and services |
| CC7.2 | System monitoring | HMAC-chained audit logging with real-time SIEM forwarding maps to continuous monitoring requirements |
| CC8.1 | Change management | Signed container images, SBOM generation, and Kyverno admission policies support change management controls |
| CC6.3 | Role-based access | Kubernetes RBAC with per-agent service accounts and scoped permissions helps implement role-based access |
| CC7.1 | Detection of anomalies | Human-in-the-loop approval for sensitive actions and audit trail integrity checks support anomaly detection processes |
ISO 27001 Annex A
| Control | Description | Baker Street Capability |
|---|---|---|
| A.8 | Asset management | Declarative agent manifests and SBOM generation support asset inventory and lifecycle management |
| A.9 | Access control | Kubernetes RBAC, namespace isolation, and allowlisted commands help implement access control policies |
| A.12 | Operations security | Pod security contexts (non-root, read-only FS, drop ALL) and seccomp profiles map to operational security controls |
| A.14 | System acquisition and development | Signed images, Kyverno admission policies, and registry restrictions support secure development and acquisition |
| A.10 | Cryptography | HMAC-chained audit logs, encrypted-at-rest volumes, and cosign image verification help implement cryptographic controls |
| A.16 | Information security incident management | Tamper-evident audit trails forwarded to external SIEM support incident detection, investigation, and response |
CIS Kubernetes Benchmark
| Control | Description | Baker Street Capability |
|---|---|---|
| 5.1 | RBAC and service accounts | Per-agent service accounts with least-privilege RBAC bindings help implement CIS RBAC recommendations |
| 5.2 | Pod security | Non-root, read-only FS, seccomp, drop ALL capabilities, and security contexts map to CIS pod security standards |
| 5.3 | Network policies | Default-deny NetworkPolicies with explicit egress allow-lists support CIS network segmentation controls |
| 5.4 | Secrets management | External Secrets Operator with runtime injection from external vaults helps implement CIS secrets management guidance |
| 5.7 | General policies | Kyverno admission policies enforce image provenance, resource limits, and namespace conventions supporting CIS general policy controls |