# CIS Benchmark Kubernetes ### What is CIS Benchmark Kubernetes The Center for Internet Security (CIS) provides benchmarks and best practices for securing various technologies, including Kubernetes. These benchmarks offer guidance on how to configure and manage Kubernetes clusters to enhance their security posture. This framework, when integrated in Delivery Shield, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails. ### Example of CIS Benchmark Kubernetes policies in Delivery Shield * **CIS - Compliance Score - Range: 0-30** - Overall CIS Compliance Score found below 30. * **CIS-1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive** - The API server pod specification file controls various parameters that set the behaviour of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. * **CIS-3.2.1 Ensure that a minimal audit policy is created** - Kubernetes can audit the details of requests made to the API server. The audit policy file flag must be set for this logging to be enabled. * **CIS-5.3.1 Ensure that the CNI in use supports Network Policies** - Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies. * **CIS-5.7.4 The default namespace should not be used** - Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources. Refer [CIS Kubernetes Benchmark ](< https://www.cisecurity.org/benchmark/kubernetes>)for more information. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/opsmx-1/opsmx-delivery-shield-platform/user-guide/compliance-automation/cis-benchmark-kubernetes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.