Due to upgrade issues with the Envoy gateway and the offline installation environments, upgrading to MKE 4k 4.1.3 is not recommended. These issues will be fixed in a future release. For version 4.1.3, Mirantis only supports fresh installations.
5. Kubernetes policies
5.1 RBAC and service accounts
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.1.1 |
Ensure that the cluster-admin role is only used where required. |
Warn |
NA |
| 5.1.2 |
Minimize access to secrets. |
Warn |
NA |
| 5.1.3 |
Minimize wildcard use in Roles and ClusterRoles. |
Warn |
NA |
| 5.1.4 |
Minimize access to create pods. |
Warn |
NA |
| 5.1.5 |
Ensure that default service accounts are not actively used. |
Warn |
NA |
| 5.1.6 |
Ensure that Service Account Tokens are only mounted where necessary. |
Warn |
NA |
| 5.1.7 |
Avoid use of system:masters group. |
Warn |
NA |
| 5.1.8 |
Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster. |
Warn |
NA |
| 5.1.9 |
Minimize access to create persistent volumes. |
Warn |
NA |
| 5.1.10 |
Minimize access to the proxy sub-resource of nodes. |
Warn |
NA |
| 5.1.11 |
Minimize access to the approval sub-resource of certificatesigningrequests objects. |
Warn |
NA |
| 5.1.12 |
Minimize access to webhook configuration objects. |
Warn |
NA |
| 5.1.13 |
Minimize access to the service account token creation. |
Warn |
NA |
5.2 Pod security policies
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.2.1 |
Ensure that the cluster has at least one active policy control mechanism in place. |
Warn |
NA |
| 5.2.2 |
Minimize the admission of privileged containers. |
Warn |
NA |
| 5.2.3 |
Minimize the admission of containers wishing to share the host process ID namespace. |
Warn |
NA |
| 5.2.4 |
Minimize the admission of containers wishing to share the host IPC namespace. |
Warn |
NA |
| 5.2.5 |
Minimize the admission of containers wishing to share the host network namespace. |
Warn |
NA |
| 5.2.6 |
Minimize the admission of containers with allowPrivilegeEscalation. |
Warn |
NA |
| 5.2.7 |
Minimize the admission of root containers. |
Warn |
NA |
| 5.2.8 |
Minimize the admission of containers with the NET_RAW capability. |
Warn |
NA |
| 5.2.9 |
Minimize the admission of containers with added capabilities. |
Warn |
NA |
| 5.2.10 |
Minimize the admission of containers with capabilities assigned. |
Warn |
NA |
| 5.2.11 |
Minimize the admission of Windows HostProcess containers. |
Warn |
NA |
| 5.2.12 |
Minimize the admission of HostPath volumes. |
Warn |
NA |
| 5.2.13 |
Minimize the admission of containers which use HostPorts. |
Warn |
NA |
5.3 Network policies and CNI
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.3.1 |
Ensure that the CNI in use supports NetworkPolicies. |
Warn |
NA |
| 5.3.2 |
Ensure that all Namespaces have NetworkPolicies defined. |
Warn |
NA |
5.4 Secrets management
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.4.1 |
Prefer using secrets as files over secrets as environment variables. |
Warn |
NA |
| 5.4.2 |
Consider external secret storage. |
Warn |
NA |
5.5 Extensible admission control
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.5.1 |
Configure Image Provenance using ImagePolicyWebhook admission controller. |
Warn |
NA |
5.6 General policies
| CIS ID |
Recommendation |
Resolution |
Comments |
| 5.6.1 |
Create administrative boundaries between resources using namespaces. |
Warn |
NA |
| 5.6.2 |
Ensure that the seccomp profile is set to docker/default in your pod definitions. |
Warn |
NA |
| 5.6.3 |
Apply SecurityContext to Your Pods and Containers. |
Warn |
NA |
| 5.6.4 |
The default namespace should not be used. |
Warn |
NA |