CIS Benchmark
The Center for Internet Security - CIS releases benchmarks for best practice security recommendations spanning a number of areas. CIS Controls are an essential 'go to' resource for any data security and compliance professional. The CIS Kubernetes Benchmark is a set of recommendations for configuring Kubernetes to support a strong security posture. The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and intended to be as universally applicable across distributions as possible.
Kube Bench¶
Kube Bench is a popular, open source tool that can help test/verify whether a Kubernetes cluster is in compliance with the CIS benchmark. It highlights the areas of the Kubernetes cluster that do not comply with the CIS benchmark and also provides suggested solutions to resolve them.
Secure by Default¶
All upstream Kubernetes clusters provisioned by the controller are deployed in a "secure by default" configuration. This ensures that the clusters are provisioned in compliance with the CIS Kubernetes benchmark. The primary benefit of this approach is that customers do not have to invest in reviewing and operationalizing a separate hardening guide/process.
Daily Checks¶
CIS Benchmarks can be updated anytime. Our security and operations team has implemented automation to perform daily, automated checks on upstream Kubernetes clusters using the kube-bench utility. The results are then analyzed to ensure that there are no drifts requiring remediation.
False Positives¶
The Kube Bench utility is a set of opinionated and generalized tests. Unfortunately, it is not intelligent enough to automatically detect all configurations and mitigations. As a result, the scan results will incorrectly report failures which are actually "False Positives". Please contact our security team if you wish to receive a copy of these false positives and a detailed description