Contact Us

New! - CIS Security Benchmark for Kubernetes

Control Your Cloud

CIS Security Benchmark for Kubernetes is out. Grab your copy at

Keen to give back to the Kubernetes community and to bring security visibility and agility in Kubernetes deployments, I started the CIS project for developing a security benchmark approximately 10 weeks back. It is humbling to see that in a short time period of 10-weeks, the community came together to document more than 100 recommendations detailed enough for you to take prescriptive actions towards securing your Kubernetes deployments.

When I look back, I was told that Kubernetes security configuration is hugely fragmented and it is a self-dissolving daunting task to document the controls and cover in a benchmark like document. The fragmented offering is just too big a beast to pet. I disagreed and committed.

Here are some interesting thoughts and stats around the 106 recommendations that we have in the benchmark today.



As you see, the majority of the recommendations are around master node. In the Shared Responsibility Model, this means that if you are using a provider that manages the master node as a service, then it is the provider’s responsibility to keep the master node secure. You should seek the master node configuration details from your provider, or if it provides an API to query the master node configuration, you should carry out an assessment for yourself. Beware, that due to Kubernetes configuration fragmentation, the provider may not be aligning 100% to the benchmark and it could be ok. But, for you, it is important to know what the provider aligns with and what it does not align with. You might put compensating controls around the gap recognized between the benchmark recommendations and the provider’s configuration of the master node. If your provider does not provide a public facing document detailing master node configuration you could possibly get it under NDA. Let the conversation begin!

Cavirin today supports core security use cases around Docker – Docker host and runtime assessment (Container OS hardening), Docker image hardening and Docker image vulnerability searches. With addition of Kubernetes benchmark on its platform, Cavirin will be able to help you get automated security assessments for your entire Kubernetes deployed clusters.








© 2019 Cavirin Systems, Inc. All rights reserved.