Jump to main content

CIS cluster hardening

The Center for Internet Security (CIS) is an independent, nonprofit organization that regularly offers recommendations for hardening organizations’ technologies against cyber attacks.
CIS has issued recommendations, in the form of Benchmarks, for setting up and configuring Kubernetes. These hardening recommendations cover the following areas:

  • Control Plane Security Configuration
  • Datastore Configuration, (dqlite)
  • Control Plane Node Configuration
  • Worker Node Security Configuration
  • Kubernetes Policies

Typically, Kubernetes distributions (including MicroK8s) do not comply with all hardening recommendations by default as some of them come with performance penalties while others require user configuration/input.

In the CIS hardening and assessment page we cover the relevant CIS recommendations and provide details on how to configure a MicroK8s cluster to pass the CIS Benchmark checks. Auditors will also find information on how to verify a cluster complies with each recommendation.

Starting with the v1.28 MicroK8s release a cis-hardening addon is included in the core addons.
microk8s enable cis-hardening applies all the Kubernetes specific CIS configurations v1.24 of the
CIS Kubernetes Benchmark to the MicroK8s node it is executed on.

For more details on how to use the cis-hardening addon or how to manually harden a pre-v1.28 cluster see the respective page.

Last updated 6 months ago. Help improve this document in the forum.