Contact Us
Cavirin Systems, Inc. Cavirin Systems, Inc.
 
  • Product
  • Environments
    • AWS
    • Azure
    • Google Cloud
    • Docker/Kubernetes
  • Solutions
    • Secure Cloud
    • Secure Compute
    • Cloud Compliance
  • Customers
  • Resources
  • Blog
  • Support
  • Search Icon
  • Home
  • Login

New! - CIS Kubernetes 1.7 Security Benchmark Released

New! - CIS Kubernetes 1.7 Security Benchmark Released

Control Your Container

I’m happy to announce the availability of the latest benchmark addressing the container ecosystem – the Kubernetes 1.7 Security Benchmark.  Kubernetes 1.7 brings tons of security improvements. We, at CIS Kubernetes community, have been busy to give you an updated benchmark quickly. Download your copy from the CIS website.   For an additional perspective on the release and enterprise-scale capabilities, please check out the google blog.

This version of the benchmark has undergone changes to reflect the above improvements. Below is a quick summary.

New Recommendations

  • 1.32 Ensure that the --authorization-mode argument is set to Node
  • 1.33 Ensure that the admission control policy is set to NodeRestriction
  • 1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate
  • 1.35 Ensure that the encryption provider is set to aescbc
  • 6.8 Configure Network policies as appropriate
  • 1.14 Ensure that the RotateKubeletClientCertificate argument is set to true
  • 1.15 Ensure that the RotateKubeletServerCertificate argument is set to true
  • 2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive
  • 2.8 Ensure that the client certificate authorities file ownership is set to root:rootModified Recommendations

Deleted Recommendations

  • 3.3 Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set
  • 6.5 Avoid using Kubernetes Secrets

Out of all the new recommendations, the ability to encrypt Kubernetes API objects in etcd key-value store is probably the most awaited one and impactful. Prior to this release there was no mechanism to store etcd data encrypted at rest. This also led to the deletion of “1.6.5 Avoid using Kubernetes Secrets”. You can now encrypt not only the secrets but other API objects as well. Such changes again make it extremely important to have updated benchmarks.

Another major change is restricted node authorization. Prior to this release, nodes had excessive permissions and could access several sensitive API objects. Now, the nodes can be restricted to only access the objects that belong to it thus tremendously enforcing least privilege principle. 

I would again like to appreciate the CIS Kubernetes community for their outstanding contribution to this release.

Check out Cavirin's lifecycle container and Docker support.

 

 

 

 

 

 

Details
Category: Docker Container Security
  • Docker
  • Cloud Security
  • Containers
  • Devops
  • Kubernetes
  • Next

Subscribe

Tag Cloud

  • security platform
  • Remediation
  • NIST
  • Hybrid-Infrastructure
  • hybrid cloud
  • hipaa
  • Devops
  • Data Security
  • Cybersecurity
  • CyberPosture
  • Containers
  • Compliance
  • Cloud Security
  • CIS Benchmarks
  • AWS

Categories

  • Continuous Security Assessment & Remediation (18)

  • Amazon Web Services (AWS) (4)

  • Cloud Migration (6)

  • CyberPosture (8)

  • DevOps (11)

  • Docker Container Security (8)

  • Google Cloud Platform (GCP) (2)

  • Regulatory Compliance (9)

  • Risk Management & Analytics (3)

  • Security Compliance Platform (10)

  • Security Programs and ISMS (4)

  • Trending in Security (29)

About Cavirin

Cavirin is the only organization that delivers cyberposture intelligence for the hybrid cloud by providing real-time risk & cybersecurity posture management, continuous compliance, further integrating security into DevOps.

Company

  • About Us
  • Leadership
  • Advisory Board
  • Careers
  • News & Events
  • Contact
  • End User License Agreement

Cavirin Partners

  • Partners
  • Partner with Cavirin
  • Global Channel Partners
  • Technology Alliances
  • Partner Program

Contact Us

Phone: 408-200-3544
Email: info@cavirin.com

5201 Great America Pkwy.
Suite 419,
Santa Clara,
CA 95054

© 2019 Cavirin Systems, Inc. All rights reserved.

  • Login
  • Support Desk
  • Privacy Policy
  • Sitemap
  •   
  •   
  •   
How can we help you
X