// Level 3 · Controls
Kubernetes
CIS Kubernetes Benchmark
1.1.1High
Ensure that the API server pod specification file permissions are set to 600 or more restrictive
Protect kube-apiserver manifest.
1.2.1Critical
Ensure that the --anonymous-auth argument is set to false
Disable anonymous API access.
1.2.5High
Ensure that the --kubelet-https argument is set to true
Encrypt kubelet API.
1.2.7Critical
Ensure that the --authorization-mode argument is not set to AlwaysAllow
Use RBAC/Node authorisation.
1.2.8High
Ensure that the --authorization-mode argument includes Node
Node-restricted authorisation.
1.2.9Critical
Ensure that the --authorization-mode argument includes RBAC
Use RBAC.
1.2.16High
Ensure that the admission control plugin PodSecurity is set
Use Pod Security Admission.
1.2.22High
Ensure that the --audit-log-path argument is set
Enable API audit logs.
4.2.1Critical
Minimize the admission of privileged containers
Restrict privileged pods.
4.2.2High
Minimize the admission of containers wishing to share the host process ID namespace
No hostPID.
4.2.3High
Minimize the admission of containers wishing to share the host IPC namespace
No hostIPC.
4.2.6High
Minimize the admission of root containers
Force runAsNonRoot.
5.1.1Critical
Ensure that the cluster-admin role is only used where required
Limit cluster-admin bindings.
5.1.3High
Minimize wildcard use in Roles and ClusterRoles
Avoid '*' verbs/resources.
5.2.1High
Ensure that the cluster has at least one active policy control mechanism
PSA, OPA, or Kyverno.