CIS Benchmark
The Center for Internet Security - CIS releases benchmarks for best practice security recommendations spanning a number of areas. CIS Controls are an essential 'go to' resource for any data security and compliance professional. The CIS Kubernetes Benchmark is a set of recommendations for configuring Kubernetes to support a strong security posture. The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and intended to be as universally applicable across distributions as possible.
Explore our blog for deeper insights on CIS Benchmark for Kubernetes, available here!
The Kubernetes CIS Benchmark contains >250 pages describing how to secure Kubernetes infrastructure. The benchmark itself is categorized into several sections as described below.
Control Plane Components¶
Recommendations for the configuration of the Kubernetes control plane. This includes the API Server, etcd, Controller Manager etc.
Worker Nodes¶
Recommendations for securing configuration files and defining specific configuration settings for the kubelet on worker nodes etc.
Policies¶
Recommendations for specific policies for Kubernetes elements like RBAC, pods and the container network interface (CNI), to improve security.
Important
The CIS benchmark is tied to a specific Kubernetes release.
Upstream Kubernetes clusters¶
Cluster provisioning¶
All upstream Kubernetes clusters provisioned by the controller are deployed in a secure by default configuration. This ensures that the clusters are provisioned in compliance with the CIS Kubernetes benchmark. The primary benefit of this approach is that customers do not have to invest in reviewing and operationalizing a separate hardening guide/process.
Ongoing compliance checks using Trivy¶
Trivy is a popular, open source tool that can help test/verify whether a Kubernetes cluster is in compliance with the CIS benchmark. It highlights the areas of the Kubernetes cluster that do not comply with the CIS benchmark and also provides suggested solutions to resolve them.
Step-by-step documentation clearly describing how to use the Trivy Operator on a fleet of Kubernetes clusters is detailed as a recipe here.
Customers can use Rafay's Zero Trust Kubectl as the means to securely access their fleet of clusters to centrally aggregate the CIS Benchmark reports. This ensures that the compliance team has visibility and access to every compliance report right from the birth of each cluster.
False Positives¶
Trivy utility is a set of opinionated and generalized tests. Unfortunately, it is not intelligent enough to automatically detect all configurations and mitigations. As a result, the scan results will incorrectly report failures which are actually "False Positives". Please contact our security team if you wish to receive a copy of these false positives and a detailed description of them.
Managed Kubernetes Services¶
Cluster provisioning¶
With managed services such as Amazon EKS, Azure AKS and Google GKE, there are recommendations (e.g. Control Plane components) that cannot be audited or remediated directly by the customer. Please refer to and implement the recommendations provided by the cloud provider.
Ongoing compliance checks using Trivy¶
Trivy is a popular, open source tool that can help test/verify whether a Kubernetes cluster is in compliance with the CIS benchmark. It highlights the areas of the Kubernetes cluster that do not comply with the CIS benchmark and also provides suggested solutions to resolve them.
Step-by-step documentation clearly describing how to use the Trivy Operator on a fleet of Kubernetes clusters is detailed as a recipe here.
Customers can use Rafay's Zero Trust Kubectl as the means to securely access their fleet of clusters to centrally aggregate the CIS Benchmark reports. This ensures that the compliance team has visibility and access to every compliance report right from the birth of each cluster.
Imported clusters¶
Ongoing compliance checks using Trivy¶
Trivy is a popular, open source tool that can help test/verify whether a Kubernetes cluster is in compliance with the CIS benchmark. It highlights the areas of the Kubernetes cluster that do not comply with the CIS benchmark and also provides suggested solutions to resolve them.
Step-by-step documentation clearly describing how to use the Trivy Operator on a fleet of Kubernetes clusters is detailed as a recipe here.
Customers can use Rafay's Zero Trust Kubectl as the means to securely access their fleet of clusters to centrally aggregate the CIS Benchmark reports. This ensures that the compliance team has visibility and access to every compliance report right from the birth of each cluster.