We’re rolling out a new Kubernetes Rule Pack aligned with the CIS Kubernetes Benchmark 1.11.1 to help you enforce security best practices across your clusters without slowing down development. Whether you're managing RBAC policies or locking down pod configurations, this rule pack is built to simplify what used to be a manual and tedious process.
What’s in the rule pack?
The rule pack focuses on two high-impact areas from the CIS Kubernetes Benchmark v1.11.1:
🔐 RBAC & Service Account Security (5.1.1 – 5.1.13)
- Detect overuse of cluster-admin and system:masters
- Flag wildcard permissions and unrestricted role bindings
- Ensure default service accounts are not misused
- Limit impersonation, escalation, and access to sensitive resources
- Why it matters: These rules enforce least privilege access and help eliminate toxic role combinations that can lead to privilege escalation or unauthorized changes.
🛡️ Pod Security Controls (5.2.1 – 5.2.13)
- Block privileged containers and host namespace sharing
- Restrict dangerous capabilities like NET_RAW
- Prevent use of HostPath volumes and HostPorts
- Enforce non-root, seccomp, and other baseline security settings
- Why it matters: These rules prevent container breakout risks, harden workloads by default, and align with Pod Security Admission and OPA/Gatekeeper policies.
📌 What You Need to Do
- Review the rule pack in our GitHub repo
- Test against your dev or staging clusters
- Roll out enforcement incrementally by namespace or environment.
This is the first phase of our rollout: we’re starting with 26 of the 131 CIS Benchmark controls, focused on the areas that deliver the highest risk reduction and fastest wins. Over the next few weeks, we’ll continue expanding coverage across the rest of the benchmark.
.png)
