CIS Kubernetes 1.13 Benchmark V1.4 1 L1

Details Do not bind the scheduler service to non-loopback insecure addresses. Rationale: The Scheduler API service which runs on port...

Details Do not allow all requests. Rationale: Setting admission control plugin ‘AlwaysAdmit’ allows all requests and do not filter any...

Details Always pull images. Rationale: Setting admission control policy to ‘AlwaysPullImages’ forces every new pod to pull the required images...

Details Limit the rate at which the API server accepts requests. Rationale: Using ‘EventRateLimit’ admission control enforces a limit on...

Details Reject creating objects in a namespace that is undergoing termination. Rationale: Setting admission control policy to ‘NamespaceLifecycle’ ensures that...

Details Limit the ‘Node’ and ‘Pod’ objects that a kubelet could modify. Rationale: Using the ‘NodeRestriction’ plug-in ensures that the...

Details Reject creating pods that do not match Pod Security Policies. Rationale: A Pod Security Policy is a cluster-level resource...

Details Restrict pod level SecurityContext customization. Instead of using a customized SecurityContext for your pods, use a Pod Security Policy...

Details Automate service accounts management. Rationale: When you create a pod, if you do not specify a service account, it...

Details Do not disable advanced auditing. Rationale: ‘AdvancedAuditing’ enables a much more general API auditing pipeline, which includes support for...