K8s CIS Benchmark
The Kubernetes CIS Benchmark contains a number of security best practices to harden Kubernetes worker nodes.
The Kubernetes CIS Benchmark contains two levels, however, currently, level 2 only adds one additional check (4.2.8) for worker nodes. The Bottlerocket reporting API cannot automatically evaluate this additional check and therefore the two levels are functionally identical for automatic evaluation purposes.
Expanding upon the general instructions to run a report, for the Bottlerocket CIS benchmark use the identifier
apiclient report cis-k8s
Adding the flag
-l with the value of
2 will evaluate to the Level 2 benchmark. For example:
# Returns evaluation of CIS Benchmark Level 2
apiclient report cis-k8s -l 2
Audit and Remediation
Refer to the Kubernetes CIS Benchmark for detailed audit and remediation steps.