5. Kubernetes policies#
5.1 RBAC and service accounts#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 5.1.1 | Ensure that the cluster-admin role is only used where required. |
Warn | NA |
| 5.1.2 | Minimize access to secrets. | Warn | NA |
| 5.1.3 | Minimize wildcard use in Roles and ClusterRoles. |
Warn | NA |
| 5.1.4 | Minimize access to create pods. | Warn | NA |
| 5.1.5 | Ensure that default service accounts are not actively used. | Warn | NA |
| 5.1.6 | Ensure that Service Account Tokens are only mounted where necessary. | Warn | NA |
| 5.1.7 | Avoid use of system:masters group. |
Warn | NA |
| 5.1.8 | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster. |
Warn | NA |
| 5.1.9 | Minimize access to create persistent volumes. | Warn | NA |
| 5.1.10 | Minimize access to the proxy sub-resource of nodes. | Warn | NA |
| 5.1.11 | Minimize access to the approval sub-resource of certificatesigningrequests objects. |
Warn | NA |
| 5.1.12 | Minimize access to webhook configuration objects. | Warn | NA |
| 5.1.13 | Minimize access to the service account token creation. | Warn | NA |
5.2 Pod security policies#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 5.2.1 | Ensure that the cluster has at least one active policy control mechanism in place. | Warn | NA |
| 5.2.2 | Minimize the admission of privileged containers. | Warn | NA |
| 5.2.3 | Minimize the admission of containers wishing to share the host process ID namespace. | Warn | NA |
| 5.2.4 | Minimize the admission of containers wishing to share the host IPC namespace. | Warn | NA |
| 5.2.5 | Minimize the admission of containers wishing to share the host network namespace. | Warn | NA |
| 5.2.6 | Minimize the admission of containers with allowPrivilegeEscalation. |
Warn | NA |
| 5.2.7 | Minimize the admission of root containers. | Warn | NA |
| 5.2.8 | Minimize the admission of containers with the NET_RAW capability. |
Warn | NA |
| 5.2.9 | Minimize the admission of containers with added capabilities. | Warn | NA |
| 5.2.10 | Minimize the admission of containers with capabilities assigned. | Warn | NA |
| 5.2.11 | Minimize the admission of Windows HostProcess containers. |
Warn | NA |
| 5.2.12 | Minimize the admission of HostPath volumes. |
Warn | NA |
| 5.2.13 | Minimize the admission of containers which use HostPorts. |
Warn | NA |
5.3 Network policies and CNI#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 5.3.1 | Ensure that the CNI in use supports NetworkPolicies. |
Warn | NA |
| 5.3.2 | Ensure that all Namespaces have NetworkPolicies defined. |
Warn | NA |
5.4 Secrets management#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 5.4.1 | Prefer using secrets as files over secrets as environment variables. | Warn | NA |
| 5.4.2 | Consider external secret storage. | Warn | NA |
5.5 Extensible admission control#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 5.5.1 | Configure Image Provenance using ImagePolicyWebhook admission controller. |
Warn | NA |
5.6 General policies#
| CIS ID | Recommendation | Resolution | Comments |
|---|---|---|---|
| 5.6.1 | Create administrative boundaries between resources using namespaces. | Warn | NA |
| 5.6.2 | Ensure that the seccomp profile is set to docker/default in your pod definitions. |
Warn | NA |
| 5.6.3 | Apply SecurityContext to Your Pods and Containers. |
Warn | NA |
| 5.6.4 | The default namespace should not be used. | Warn | NA |