Kube Bench

5.7 General Policies

5.7.1 Create administrative boundaries between resources using namespaces (Not Scored)

Follow the documentation and create namespaces for objects in your deployment as you need them.

5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)

Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing “–feature- gates=AllAlpha=true” argument. Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to “–feature-gates=AllAlpha=true” KUBE_API_ARGS="–feature-gates=AllAlpha=true" Based on your system, restart the kube-apiserver service. For example: systemctl restart kube-apiserver.service Use annotations to enable the docker/default seccomp profile in your pod definitions. An example is as below: apiVersion: v1 kind: Pod metadata: name: trustworthy-pod annotations: seccomp.security.alpha.kubernetes.io/pod: docker/default spec: containers: - name: trustworthy-container image: sotrustworthy:latest

5.7.3 Apply Security Context to Your Pods and Containers (Not Scored)

Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers.

5.7.4 The default namespace should not be used (Scored)

Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.