CIS Benchmarks

The Center for Internet Security (CIS) provides the CIS Kubernetes Benchmarks for each Kubernetes release. These benchmarks comprise a comprehensive set of recommendations that is targeted to enhancing Kubernetes security configuration. Designed to align with industry regulations, CIS Benchmarks ensure standards that meet diverse compliance requirements, and their universal applicability across Kubernetes distributions ensures the fortification of such environments and while fostering a robust security posture.


  • The CIS Benchmark results detailed herein are verified against MKE 3.6.8.

  • Mirantis has based its handling of Kubernetes benchmarks on CIS Kubernetes Benchmark v1.7.0.

1 Control Plane Components

Section 1 is comprised of security recommendations for the direct configuration of Kubernetes control plane processes. It is broken out into four subsections:

2 etcd

Section 2 details recommendations for etcd configuration, under the assumption that you are running etcd in a Kubernetes Pod.

3 Control Plane Configuration

Section 3 details recommendations for cluster-wide areas, such as authentication and logging. It is broken out into two subsections:

4 Worker Nodes

Section 4 details security recommendations for the components that run on Kubernetes worker nodes.


Note that the components for Kubernetes worker nodes may also run on Kubernetes master nodes. Thus, the recommendations in Section 4 should be applied to master nodes as well as worker nodes where the master nodes make use of these components.

Section 4 is broken out into two subsections:

5 Policies

Section 5 details recommendations for various Kubernetes policies which are important to the security of the environment. Section 5 is broken out into six subsections, with 5.6 not in use: