Implementing the CIS Kubernetes Benchmark
Implementing the CIS Kubernetes Benchmark
The Center for Internet Security (CIS) Kubernetes Benchmark provides comprehensive security guidelines aligned with compliance requirements. These benchmarks cover control plane configuration, node security, policies, and managed services. Regular assessment against CIS benchmarks demonstrates due diligence and provides measurable security posture improvements.
Control plane hardening forms the foundation of CIS compliance. This includes securing the API server with strong authentication and encryption, protecting etcd with encryption at rest and access controls, and configuring admission controllers for policy enforcement. Each component requires specific settings that balance security with functionality.
# CIS-compliant API server configuration
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: v1.28.0
apiServer:
extraArgs:
# CIS 1.2.1 - Ensure anonymous auth is disabled
anonymous-auth: "false"
# CIS 1.2.2 - Ensure basic auth is not used
basic-auth-file: ""
# CIS 1.2.3 - Ensure token auth file is not used
token-auth-file: ""
# CIS 1.2.4 - Use https for kubelet connections
kubelet-https: "true"
# CIS 1.2.5 - Ensure kubelet client certificate and key are configured
kubelet-client-certificate: "/etc/kubernetes/pki/apiserver-kubelet-client.crt"
kubelet-client-key: "/etc/kubernetes/pki/apiserver-kubelet-client.key"
# CIS 1.2.6 - Ensure kubelet certificate authority is set
kubelet-certificate-authority: "/etc/kubernetes/pki/ca.crt"
# CIS 1.2.7 - Ensure authorization mode includes RBAC
authorization-mode: "Node,RBAC"
# CIS 1.2.8 - Ensure authorization mode does not include AlwaysAllow
# (implicit in above setting)
# CIS 1.2.9 - Ensure admission control plugins are configured
enable-admission-plugins: "NodeRestriction,ResourceQuota,ServiceAccount,PodSecurity"
# CIS 1.2.10 - Ensure AlwaysAdmit is not used
disable-admission-plugins: "AlwaysAdmit"
# CIS 1.2.16 - Ensure secure ciphers only
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
# CIS 1.2.17 - Ensure TLS 1.2 minimum
tls-min-version: "VersionTLS12"
# CIS 1.2.21 - Enable audit logging
audit-log-path: "/var/log/kubernetes/audit.log"
audit-log-maxage: "30"
audit-log-maxbackup: "10"
audit-log-maxsize: "100"
# CIS 1.2.25 - Encrypt data at rest
encryption-provider-config: "/etc/kubernetes/encryption-config.yaml"
# Additional security settings
service-account-signing-key-file: "/etc/kubernetes/pki/sa.key"
service-account-key-file: "/etc/kubernetes/pki/sa.pub"
service-account-issuer: "https://kubernetes.default.svc.cluster.local"
---
# CIS-compliant kubelet configuration
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
# CIS 4.2.1 - Ensure anonymous authentication is disabled
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/etc/kubernetes/pki/ca.crt"
# CIS 4.2.2 - Ensure authorization mode is not AlwaysAllow
authorization:
mode: Webhook
# CIS 4.2.3 - Ensure kubelet client certificate and key are set
tlsCertFile: "/var/lib/kubelet/pki/kubelet.crt"
tlsPrivateKeyFile: "/var/lib/kubelet/pki/kubelet.key"
# CIS 4.2.6 - Ensure protect kernel defaults is set
protectKernelDefaults: true
# CIS 4.2.7 - Ensure make iptables util chains is set
makeIPTablesUtilChains: true
# CIS 4.2.10 - Ensure event record QPS is set appropriately
eventRecordQPS: 5
# CIS 4.2.13 - Ensure TLS cipher suites are appropriate
tlsCipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Workload security controls ensure applications meet CIS requirements. Pod Security Standards enforce baseline security configurations including non-root execution, capability dropping, and read-only root filesystems. Network policies implement required segmentation. These controls must be consistently applied across all namespaces.