CIS Kubernetes Benchmark V1.6.1 L1 Master

Details Ensure that the admin.conf file ownership is set to root:root. Rationale: The admin.conf file contains the admin credentials for...

Details Ensure that the admin.conf file has permissions of 644 or more restrictive. Rationale: The admin.conf is the administrator kubeconfig...

Details Do not allow all requests. Rationale: Setting admission control plugin AlwaysAdmit allows all requests and do not filter any...

Details Always pull images. Rationale: Setting admission control policy to AlwaysPullImages forces every new pod to pull the required images...

Details Limit the rate at which the API server accepts requests. Rationale: Using EventRateLimit admission control enforces a limit on...

Details Reject creating objects in a namespace that is undergoing termination. Rationale: Setting admission control policy to NamespaceLifecycle ensures that...

Details Limit the Node and Pod objects that a kubelet could modify. Rationale: Using the NodeRestriction plug-in ensures that the...

Details Reject creating pods that do not match Pod Security Policies. Rationale: A Pod Security Policy is a cluster-level resource...

Details The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could...

Details Automate service accounts management. Rationale: When you create a pod, if you do not specify a service account, it...