Due to upgrade issues with the Envoy gateway and the offline installation environments, upgrading to MKE 4k 4.1.3 is not recommended. These issues are fixed in the
4.1.4 release. For version 4.1.3, Mirantis
only supports fresh installations.
5. Kubernetes policies
5.1 RBAC and service accounts
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.1.1 |
Ensure that the cluster-admin role is only used where required. |
Warn |
NA |
| 5.1.2 |
Minimize access to secrets. |
Warn |
NA |
| 5.1.3 |
Minimize wildcard use in Roles and ClusterRoles. |
Warn |
NA |
| 5.1.4 |
Minimize access to create pods. |
Warn |
NA |
| 5.1.5 |
Ensure that default service accounts are not actively used. |
Warn |
NA |
| 5.1.6 |
Ensure that Service Account Tokens are only mounted where necessary. |
Warn |
NA |
| 5.1.7 |
Avoid use of system:masters group. |
Warn |
NA |
| 5.1.8 |
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster. |
Warn |
NA |
| 5.1.9 |
Minimize access to create persistent volumes. |
Warn |
NA |
| 5.1.10 |
Minimize access to the proxy sub-resource of nodes. |
Warn |
NA |
| 5.1.11 |
Minimize access to the approval sub-resource of certificatesigningrequests objects. |
Warn |
NA |
| 5.1.12 |
Minimize access to webhook configuration objects. |
Warn |
NA |
| 5.1.13 |
Minimize access to the service account token creation. |
Warn |
NA |
5.2 Pod security policies
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.2.1 |
Ensure that the cluster has at least one active policy control mechanism in place. |
Warn |
NA |
| 5.2.2 |
Minimize the admission of privileged containers. |
Warn |
NA |
| 5.2.3 |
Minimize the admission of containers wishing to share the host process ID namespace. |
Warn |
NA |
| 5.2.4 |
Minimize the admission of containers wishing to share the host IPC namespace. |
Warn |
NA |
| 5.2.5 |
Minimize the admission of containers wishing to share the host network namespace. |
Warn |
NA |
| 5.2.6 |
Minimize the admission of containers with allowPrivilegeEscalation. |
Warn |
NA |
| 5.2.7 |
Minimize the admission of root containers. |
Warn |
NA |
| 5.2.8 |
Minimize the admission of containers with the NET_RAW capability. |
Warn |
NA |
| 5.2.9 |
Minimize the admission of containers with added capabilities. |
Warn |
NA |
| 5.2.10 |
Minimize the admission of containers with capabilities assigned. |
Warn |
NA |
| 5.2.11 |
Minimize the admission of Windows HostProcess containers. |
Warn |
NA |
| 5.2.12 |
Minimize the admission of HostPath volumes. |
Warn |
NA |
| 5.2.13 |
Minimize the admission of containers which use HostPorts. |
Warn |
NA |
5.3 Network policies and CNI
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.3.1 |
Ensure that the CNI in use supports NetworkPolicies. |
Warn |
NA |
| 5.3.2 |
Ensure that all Namespaces have NetworkPolicies defined. |
Warn |
NA |
5.4 Secrets management
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.4.1 |
Prefer using secrets as files over secrets as environment variables. |
Warn |
NA |
| 5.4.2 |
Consider external secret storage. |
Warn |
NA |
5.5 Extensible admission control
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.5.1 |
Configure Image Provenance using ImagePolicyWebhook admission controller. |
Warn |
NA |
5.6 General policies
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.6.1 |
Create administrative boundaries between resources using namespaces. |
Warn |
NA |
| 5.6.2 |
Ensure that the seccomp profile is set to docker/default in your pod definitions. |
Warn |
NA |
| 5.6.3 |
Apply SecurityContext to Your Pods and Containers. |
Warn |
NA |
| 5.6.4 |
The default namespace should not be used. |
Warn |
NA |