What is CIS Benchmark Kubernetes

The Center for Internet Security (CIS) provides benchmarks and best practices for securing various technologies, including Kubernetes. These benchmarks offer guidance on how to configure and manage Kubernetes clusters to enhance their security posture.

This framework, when integrated in SSD, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails.

Example of CIS Benchmark Kubernetes policies in SSD

• CIS - Compliance Score - Range: 0-30 - Overall CIS Compliance Score found below 30.

• CIS-1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive - The API server pod specification file controls various parameters that set the behaviour of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.

• CIS-3.2.1 Ensure that a minimal audit policy is created - Kubernetes can audit the details of requests made to the API server. The audit policy file flag must be set for this logging to be enabled.

• CIS-5.3.1 Ensure that the CNI in use supports Network Policies - Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.

• CIS-5.7.4 The default namespace should not be used - Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.

Refer CIS Kubernetes Benchmark for more information.