CIS Kubernetes 1.11 Benchmark V1.3.0 L1

Details Do not bind the scheduler service to non-loopback insecure addresses. Rationale: The Scheduler API service which runs on port...

Details Do not allow all requests. Rationale: Setting admission control plugin AlwaysAdmit allows all requests and do not filter any...

Details Always pull images. Rationale: Setting admission control policy to AlwaysPullImages forces every new pod to pull the required images...

Details Deny execution of exec and attach commands in privileged pods. Rationale: Setting admission control policy to DenyEscalatingExec denies exec...

Details Limit the rate at which the API server accepts requests. Rationale: Using EventRateLimit admission control enforces a limit on...

Details Reject creating objects in a namespace that is undergoing termination. Rationale: Setting admission control policy to NamespaceLifecycle ensures that...

Details Limit the Node and Pod objects that a kubelet could modify. Rationale: Using the NodeRestriction plug-in ensures that the...

Details Reject creating pods that do not match Pod Security Policies. Rationale: A Pod Security Policy is a cluster-level resource...

Details Restrict pod level SecurityContext customization. Instead of using a customized SecurityContext for your pods, use a Pod Security Policy...

Details Automate service accounts management. Rationale: When you create a pod, if you do not specify a service account, it...