Skip to content

Latest commit

 

History

History

cis-k8s-v1.7.1

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
.krmignore
.krmignore
 
 
Kptfile
Kptfile
 
 
README.md
README.md
 
 
kustomization.yaml
kustomization.yaml
 
 
require-admission-controller.yaml
require-admission-controller.yaml
 
 
require-binauthz.yaml
require-binauthz.yaml
 
 
require-namespace-networkpolicy.yaml
require-namespace-networkpolicy.yaml
 
 
require-seccomp-default.yaml
require-seccomp-default.yaml
 
 
require-securitycontext.yaml
require-securitycontext.yaml
 
 
restrict-aggregation-controller.yaml
restrict-aggregation-controller.yaml
 
 
restrict-automountserviceaccounttoken.yaml
restrict-automountserviceaccounttoken.yaml
 
 
restrict-bind-escalate-impersonate.yaml
restrict-bind-escalate-impersonate.yaml
 
 
restrict-capabilities.yaml
restrict-capabilities.yaml
 
 
restrict-certificatesigningrequests-approval.yaml
restrict-certificatesigningrequests-approval.yaml
 
 
restrict-cluster-admin-role.yaml
restrict-cluster-admin-role.yaml
 
 
restrict-creation-with-default-serviceaccount.yaml
restrict-creation-with-default-serviceaccount.yaml
 
 
restrict-default-namespace.yaml
restrict-default-namespace.yaml
 
 
restrict-env-var-secrets.yaml
restrict-env-var-secrets.yaml
 
 
restrict-host-namespace.yaml
restrict-host-namespace.yaml
 
 
restrict-host-port.yaml
restrict-host-port.yaml
 
 
restrict-hostpath-volumes.yaml
restrict-hostpath-volumes.yaml
 
 
restrict-hosttnetwork.yaml
restrict-hosttnetwork.yaml
 
 
restrict-nodes-proxy.yaml
restrict-nodes-proxy.yaml
 
 
restrict-persistent-volume.yaml
restrict-persistent-volume.yaml
 
 
restrict-pods-create.yaml
restrict-pods-create.yaml
 
 
restrict-privilege-escalation.yaml
restrict-privilege-escalation.yaml
 
 
restrict-privileged-containers.yaml
restrict-privileged-containers.yaml
 
 
restrict-role-secrets.yaml
restrict-role-secrets.yaml
 
 
restrict-role-wildcards.yaml
restrict-role-wildcards.yaml
 
 
restrict-root-containers.yaml
restrict-root-containers.yaml
 
 
restrict-secrets-of-type-basic-auth.yaml
restrict-secrets-of-type-basic-auth.yaml
 
 
restrict-serviceaccounts-token.yaml
restrict-serviceaccounts-token.yaml
 
 
restrict-system-masters-group.yaml
restrict-system-masters-group.yaml
 
 
restrict-webhook-config.yaml
restrict-webhook-config.yaml
 
 
restrict-windows-hostprocess.yaml
restrict-windows-hostprocess.yaml
 
 

README.md

CIS Kubernetes Benchmark v1.7.1

Note: The CIS Kubernetes Benchmark v1.7.1 policy bundle is a preview release. This means that the functionality might change in backward-incompatible ways. A preview release is not subject to any SLA or deprecation policy and may receive limited or no support.

Description

Use the CIS Kubernetes Benchmark v1.7.1 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS Kubernetes Benchmark, which is a set of recommendations for configuring Kubernetes to support a robust security posture.

The accompanying CIS Kubernetes Benchmark tutorial provides more details.

Disclaimer

These constraints are not certified by CIS.

Compatibility

This bundle requires Policy Controller v1.17.0 or higher.

Usage

(Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/cis-k8s-v1.7.1

Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/cis-k8s-v1.7.1

For more information visit: https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-k8s-v1.7