CIS Kubernetes Benchmark, continuously evidenced.
The CIS Kubernetes Benchmark v1.12.0 defines 127 security controls covering cluster control-plane components (kube-apiserver, etcd, kube-controller-manager, kube-scheduler), worker nodes (kubelet, container runtime), and workload configuration (RBAC, network policies, pod security). CISGuard supports vanilla Kubernetes plus AKS, EKS, GKE, OpenShift, Rancher, and K3s distributions.
Kubernetes benchmark at a glance.
- Benchmark version
- v1.12.0
- Total controls
- 127
- Scan type
- Agentless
- Available tier
- Pro and above
- Category
- Container & Orchestration
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- kube-apiserver configuration
- etcd hardening
- kube-controller-manager + kube-scheduler
- kubelet hardening
- RBAC policy validation
- Pod Security Standards
- Network Policies
- Secrets management
Kubernetes questions, answered directly.
How does CISGuard scan Kubernetes clusters?
CISGuard deploys a lightweight scanner as a DaemonSet (for node-level controls) plus a cluster-wide deployment (for control-plane and workload controls). It uses a service account with read-only ClusterRole. Scans run on schedule with per-cluster posture and cross-cluster rollup for multi-cluster environments.
Does CISGuard support managed Kubernetes services?
Yes. CISGuard supports AKS (Azure), EKS (AWS), GKE (Google Cloud), OpenShift (Red Hat), Rancher (SUSE), K3s, and vanilla upstream Kubernetes. Distribution-specific benchmark variants are applied automatically based on detected cluster type. See /benchmarks/aks, /benchmarks/eks, /benchmarks/openshift for the specific variants.
Can CISGuard validate Pod Security Standards?
Yes. The CIS Kubernetes Benchmark v1.12.0 includes Pod Security Standards (Restricted, Baseline, Privileged) validation. CISGuard validates that namespaces enforce the appropriate PSS level via labels, and that workloads don't violate the enforced policy.
Often deployed together with Kubernetes.
Want a Kubernetes scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.