CIS Kubernetes 1.7.0 Benchmark V1.1.0 L1

Details Do not allow all requests. Rationale: Setting admission control policy to `AlwaysAdmit` allows all requests and do not filter...

Details Always pull images. Rationale: Setting admission control policy to `AlwaysPullImages` forces every new pod to pull the required images...

Details Deny execution of `exec` and `attach` commands in privileged pods. Rationale: Setting admission control policy to `DenyEscalatingExec` denies `exec`...

Details Reject creating objects in a namespace that is undergoing termination. Rationale: Setting admission control policy to `NamespaceLifecycle` ensures that...

Details Limit the `Node` and `Pod` objects that a kubelet could modify. Rationale: Using the `NodeRestriction` plug-in ensures that the...

Details Reject creating pods that do not match Pod Security Policies. Rationale: A Pod Security Policy is a cluster-level resource...

Details Restrict pod level SecurityContext customization. Instead of using a customized SecurityContext for your pods, use a Pod Security Policy...

Details Automate service accounts management. Rationale: When you create a pod, if you do not specify a service account, it...

Details Do not allow privileged containers. Rationale: The privileged container has all the system capabilities, and it also lifts all...

Details Disable anonymous requests to the API server. Rationale: When enabled, requests that are not rejected by other configured authentication...