K8s CIS Benchmark

Generating a Kubernetes CIS Benchmark report

The Kubernetes CIS Benchmark contains a number of security best practices to harden Kubernetes worker nodes.

Note

The Kubernetes CIS Benchmark contains two levels, however, currently, level 2 only adds one additional check (4.2.8) for worker nodes. The Bottlerocket reporting API cannot automatically evaluate this additional check and therefore the two levels are functionally identical for automatic evaluation purposes.

Examples

Expanding upon the general instructions to run a report, for the Bottlerocket CIS benchmark use the identifier cis-k8s:

apiclient report cis-k8s

Adding the flag -l with the value of 2 will evaluate to the Level 2 benchmark. For example:

# Returns evaluation of CIS Benchmark Level 2
apiclient report cis-k8s -l 2

Audit and Remediation

Refer to the Kubernetes CIS Benchmark for detailed audit and remediation steps.

See a problem with this page? File an issue. All feedback is appreciated.
You can also directly contribute a change to the source file of this page on GitHub.