Earlier this month, we introduced our Kubernetes Rule Pack, built to accelerate secure cluster configurations with out-of-the-box alignment to the CIS Kubernetes Benchmark v1.11.1. We started strong by covering critical areas like RBAC enforcement and pod-level hardening.
Today, we’re excited to announce the next phase of that rollout: a new set of Kubernetes CIS rules that go even deeper across identity, secrets management, networking, and workload isolation.
🔍 What’s New in This Release?
This latest update builds on the foundational 5.1 and 5.2 controls by expanding into:
Secrets Management & Secure Workloads (5.4.x & 5.6.x):
- Prefer Secrets as Files (5.4.1): Flags containers using secrets as environment variables, which are easier to exfiltrate and harder to rotate securely.
- Encourage External Secret Stores (5.4.2): Identifies workloads not integrated with tools like HashiCorp Vault, AWS Secrets Manager, or Kubernetes CSI drivers.
- Enforce Namespace Boundaries (5.6.1): Detects clusters lacking proper namespace segmentation—a must for multi-team or multi-tenant environments.
- Security Context Compliance (5.6.2 – 5.6.4): Finds pods missing baseline settings like seccomp, runAsNonRoot, and those running in the default namespace.
These rules target real-world misconfigurations that attackers exploit: from overexposed secrets to overly permissive pods. They help you shift left on Kubernetes security while enabling dev teams to focus on shipping code.
📌 What You Need to Do
- Review the rule pack in our GitHub repo
- Test against your dev or staging clusters using these new detection style rules
- Roll out enforcement incrementally by namespace or environment.
.png)
