Stage 7 · Master
KCSA — Kubernetes & Cloud Native Security Associate
Compliance & Hardening (10%)
CIS benchmarks, Pod Security Standards, and compliance frameworks for Kubernetes.
CIS Kubernetes Benchmarks
The Center for Internet Security (CIS) publishes benchmarks for hardening Kubernetes clusters. These are detailed checklists covering every component — API server, etcd, kubelet, controller manager, and more. The kube-bench tool automates compliance checking.
- Control plane configuration — API server flags, etcd encryption, audit logging.
- etcd — Authentication, peer TLS, client certificate authentication.
- Control plane configuration — Controller manager and scheduler flags.
- Worker Nodes — kubelet configuration, proxy configuration.
- Policies — RBAC, Pod Security, Network Policies.
Pod Security Standards
Pod Security Standards (PSS) replace the deprecated PodSecurityPolicy (PSP). They define three levels of security for Pods: Privileged, Baseline, and Restricted. Each level progressively restricts what containers can do.
| Level | What It Allows | Use Case |
|---|---|---|
| Privileged | Unrestricted — full access to host and kernel | System workloads, trusted operators |
| Baseline | Minimally restrictive — prevents known escalations | Most application workloads |
| Restricted | Heavily restricted — follows security best practices | Security-sensitive workloads |
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedThe enforce label blocks non-compliant Pods. The audit label logs violations. The warn label shows warnings to users. Use enforce for Baseline and warn for Restricted to gradually adopt stricter policies.
Enforce rejects non-compliant Pods at creation time. Audit logs violations but allows creation. Warn shows warnings to the user but allows creation. Start with warn/audit and move to enforce after reviewing the impact.
Compliance Frameworks
Depending on your industry, you may need to comply with specific regulatory frameworks. Kubernetes can be configured to meet these requirements, but compliance is a shared responsibility.
| Framework | Industry | Key Requirement |
|---|---|---|
| SOC 2 | General | Security, availability, confidentiality controls |
| HIPAA | Healthcare | PHI protection, audit logging, access controls |
| PCI DSS | Finance | Cardholder data protection, network segmentation |
| GDPR | EU | Data privacy, right to deletion, consent management |
| FedRAMP | US Government | Federal security assessment and authorization |
Hardening Checklist
- Enable RBAC and disable anonymous authentication.
- Encrypt etcd at rest.
- Enable audit logging.
- Apply Pod Security Standards to all namespaces.
- Use Network Policies to segment traffic.
- Scan images for vulnerabilities.
- Restrict privileged containers.
- Enable NodeRestriction admission plugin.
- Rotate certificates regularly.
- Apply CIS benchmarks using kube-bench.
Running kube-bench
# Run as a Pod (recommended for managed clusters)
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
# Run directly on a node (if you have SSH access)
kube-bench run --targets master
kube-bench run --targets node
# Run specific check
kube-bench run --check 1.2.1kube-bench checks your cluster against CIS benchmarks and outputs PASS, FAIL, or WARN for each test. Focus on FAIL results and remediate them systematically.
Remediation Strategies
- Prioritize — Fix critical findings first (etcd, API server, RBAC).
- Automate — Use OPA Gatekeeper or Kyverno to prevent regressions.
- Document — Maintain a compliance register showing controls and their status.
- Audit regularly — Run kube-bench periodically, not just once.
- Train teams — Ensure developers understand Pod Security Standards.
The exam tests your knowledge of Pod Security Standards, CIS benchmarks, and compliance concepts. Know the three PSS levels (Privileged, Baseline, Restricted) and what each restricts.
Key Commands
kubectl get ns -L pod-security.kubernetes.io/enforce
kubectl get pods -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged==true)'
kubectl run test-privileged --image=nginx --privileged --dry-run=client -o yaml
kubectl get podsecuritypolicies 2>/dev/null || echo "PSP not available"These commands help you audit namespace security labels, find privileged containers, and check PSP availability. Use them to verify compliance before and after hardening.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.