CIS Kubernetes Benchmark v1.9 (Section 5: Policies)
Center for Internet Security benchmark for Kubernetes Pod Security, RBAC, and NetworkPolicy. EchelonGraph evaluates against the live cluster topology emitted by the Tier 3 K8s watcher (Pods, RBAC, NetworkPolicy CRDs).
Cluster-admin role usage minimised
Cluster-admin role should not be granted to non-system subjects. The Tier 3 watcher inspects every ClusterRoleBinding subject list and flags those granting cluster-admin to users / groups / service accounts outside the system:* prefix.
Default ServiceAccount tokens not auto-mounted
Default ServiceAccount tokens in every namespace must not be auto-mounted. The watcher reads the ServiceAccount object metadata for AutomountServiceAccountToken and flags any default SA where it is unset (K8s default true) or explicitly true.
Privileged containers minimised
Pod containers should not run with privileged: true. The watcher inspects each Pod's containers[].securityContext.privileged at admission and resync time.
hostNetwork minimised
Pods should not use hostNetwork. The watcher inspects PodSpec.HostNetwork at the typed-handler level.
NetworkPolicy on every namespace
Every namespace should have at least one NetworkPolicy. EchelonGraph correlates the live K8S_NAMESPACE inventory with K8S_NETWORKPOLICY assets per namespace and flags namespaces without coverage.
runAsNonRoot enforced
Containers should run as non-root. The watcher counts containers per Pod and computes runasnonroot_count from securityContext.RunAsNonRoot at the Pod and container level.
Minimize wildcard RBAC verbs
RBAC ClusterRoles + Roles should avoid wildcard verbs (*).
Minimize wildcard RBAC resources
RBAC rules should avoid wildcard resources (*) — be explicit about which resources are granted.
Disable default SA token auto-mount
Default ServiceAccount in every namespace should not auto-mount its token into pods.
Cluster-admin restricted
ClusterRoleBindings to cluster-admin should be restricted to limited identities (cluster operators only).
Restrict hostProcess
Pods should not set hostProcess: true (Windows-specific privilege escalation).
Minimize hostIPC
Pods should not use hostIPC (shares Inter-Process Communication with host).
allowPrivilegeEscalation false
Container securityContext.allowPrivilegeEscalation should be false.
Root containers minimized
Containers should not run as root user (runAsUser != 0).
NET_RAW capability dropped
Containers should drop NET_RAW capability (used for raw socket operations like ping, port scanning).
Drop ALL capabilities
Containers should drop ALL Linux capabilities and re-add only what's needed.
CNI supports NetworkPolicy
K8s CNI plugin must support NetworkPolicy (Calico, Cilium, Weave Net, AWS VPC CNI 1.14+, GKE Dataplane V2).
Secrets via volume not env
Mount Secrets as volumes rather than environment variables.
External secret stores
Use external secret stores (Vault, AWS Secrets Manager, GCP Secret Manager) for sensitive secrets — not etcd.
Image policy webhook
Configure ImagePolicyWebhook admission controller (or equivalent — Kyverno, OPA Gatekeeper) for image signing verification.
Workloads not in default namespace
Applications should not run in the 'default' namespace.
seccompProfile RuntimeDefault
Containers should use seccompProfile of RuntimeDefault or Localhost.
Admission controllers enabled
Key admission controllers enabled: PodSecurity, NodeRestriction, RBAC, ResourceQuota.
Default SA tokens not auto-mounted
Default ServiceAccount tokens are NOT auto-mounted in pods.
Limit pod-create verb
Permission to create pods should be limited to deployment controllers, not user accounts.
Capabilities restricted
Containers should not add Linux capabilities beyond the default set.