Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

Kubernetes CIS Benchmark Hardening

February 13, 2026 | Kubernetes Security Compliance

kube-bench and top 20 remediations.

Kubernetes CIS Benchmark Hardening

The Center for Internet Security (CIS) Kubernetes Benchmark provides a comprehensive set of security recommendations for hardening Kubernetes clusters. This guide covers the top 20 remediations that address the most critical security gaps.

Running kube-bench

kube-bench automates CIS benchmark checks against your cluster:

# Run on a node
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml

# Check results
kubectl logs job/kube-bench

Top 20 Remediations

Control Plane Hardening (1-5)

  1. Enable audit logging — Log all API server requests for forensic analysis
  2. Enable RBAC — Ensure --authorization-mode=RBAC is set on the API server
  3. Disable anonymous auth — Set --anonymous-auth=false on the API server
  4. Encrypt etcd at rest — Configure --encryption-provider-config with AES-256
  5. Use TLS for etcd — Enable client and peer TLS certificates for etcd communication

Worker Node Hardening (6-10)

  1. Restrict kubelet anonymous access — Set authentication.anonymous.enabled: false
  2. Enable kubelet certificate rotation — Set rotateCertificates: true in kubelet config
  3. Protect kubelet port — Ensure port 10250 is firewall-restricted
  4. Set file permissions — kubelet config and certificate files should be 600/644
  5. Disable read-only port — Set readOnlyPort: 0 in kubelet config

Pod Security (11-15)

  1. Enable Pod Security Admission — Enforce restricted or baseline pod security standards
  2. Prevent privileged containers — Deny pods with privileged: true
  3. Prevent root containers — Enforce runAsNonRoot: true
  4. Drop all capabilities — Set securityContext.capabilities.drop: [ALL]
  5. Use read-only root filesystem — Set readOnlyRootFilesystem: true

Network and Access (16-20)

  1. Deploy network policies — Default-deny in all namespaces
  2. Restrict service account tokens — Set automountServiceAccountToken: false unless needed
  3. Use namespace isolation — Separate workloads by namespace with RBAC boundaries
  4. Scan container images — Enforce image scanning admission controllers
  5. Limit host namespaces — Block hostNetwork, hostPID, hostIPC

Pod Security Standards

# Enforce restricted standard on production namespace
kubectl label namespace production \
  pod-security.kubernetes.io/enforce=restricted \
  pod-security.kubernetes.io/warn=restricted \
  pod-security.kubernetes.io/audit=restricted

Secure Pod Template

spec:
  automountServiceAccountToken: false
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: [ALL]
      readOnlyRootFilesystem: true
    resources:
      limits:
        cpu: "1"
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 128Mi

Compliance Tracking

Run kube-bench on a schedule and track compliance scores over time:

# CronJob for weekly benchmark check
apiVersion: batch/v1
kind: CronJob
metadata:
  name: kube-bench-weekly
spec:
  schedule: "0 6 * * 1"  # Every Monday at 6 AM
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: kube-bench
            image: aquasec/kube-bench:latest
            command: ["kube-bench", "--json"]
          restartPolicy: Never

Eazy SaaS Tip: We run kube-bench as part of our Kubernetes hardening service. The initial scan typically shows 40-60% compliance. After applying our standard remediation playbook, clients reach 90%+ compliance within a week — meeting the requirements for SOC 2 and ISO 27001 audits.

← Back to Blog