CIS Kubernetes Benchmarks Alignment¶
This document describes how the Secure CINC Auditor Kubernetes Container Scanning solution aligns with the Center for Internet Security (CIS) Kubernetes Benchmarks.
Overview¶
The CIS Kubernetes Benchmarks provide prescriptive guidance for establishing a secure configuration posture for Kubernetes. This document outlines how our container scanning approaches align with these benchmarks.
Benchmark Alignment¶
| Benchmark Section | Title | Requirement Summary | Alignment | Notes |
|---|---|---|---|---|
| 1.2 | API Server | Configure secure API server settings | ✅ High | Our scanning approaches respect secure API configurations |
| 4.2 | Authentication | Implement strong authentication | ✅ High | Service account tokens use short-lived credentials |
| 5.1 | RBAC | Configure proper authorization | ✅ High | Implementations use least-privilege RBAC |
| 5.2 | Service Accounts | Manage service accounts securely | ✅ High | Limited service account permissions |
| 5.7 | Network Policies | Restrict pod communications | ✅ High | Communications use TLS encryption |
Scanning Approach Compliance¶
Kubernetes API Approach¶
The Kubernetes API Approach provides the highest level of alignment with CIS Kubernetes Benchmarks:
- Uses Kubernetes native service accounts with tight RBAC controls
- Prevents privilege escalation within containers
- Establishes proper network security with TLS encryption
- Implements proper logging and monitoring
Debug Container Approach¶
The Debug Container Approach has moderate alignment with CIS Kubernetes Benchmarks:
- Uses ephemeral debug containers with limited lifespans
- Implements proper RBAC controls for debug container creation
- Respects container security contexts
Sidecar Container Approach¶
The Sidecar Container Approach has moderate alignment with CIS Kubernetes Benchmarks:
- Uses shared process namespace with proper isolation
- Implements appropriate container security contexts
- Avoids privileged operations when possible
Implementation Recommendations¶
For optimal alignment with CIS Kubernetes Benchmarks, we recommend:
- Using the Kubernetes API Approach when possible
- Implementing the least-privilege RBAC controls provided
- Ensuring proper audit logging is enabled
- Following the security recommendations in our Enterprise Recommendations guide
Related Documentation¶
- Approach Comparison - Security framework comparison
- Risk Documentation - Documentation requirements
- Kubernetes STIG - DISA STIG alignment information