CIS Benchmark™ requirements for Kubernetes
Written by
Updated at May 5, 2026
Note
This feature is at the Preview stage.
This ruleset contains the CIS Kubernetes Benchmark recommendations for secure operation of components running on Kubernetes nodes.
The ruleset contains only automatic checks corresponding to the 4. Worker Nodes section:
| Rule | Security standard requirement | Check ID |
|---|---|---|
| Strict file permissions are enforced for the kubelet service file | 4.1.1 Strict file permissions are enforced for the kubelet service file | kspm.host-security.kubelet-service-file-perm-600 |
The kubelet service file owner is specified as root:root |
4.1.2 The kubelet service file owner is specified as root:root |
kspm.host-security.kubelet-service-file-owner-root |
Strict file permissions are enforced for the kubeconfig configuration file |
4.1.5 Strict file permissions are enforced for the --kubeconfig kubelet.conf file |
kspm.host-security.kubelet-conf-600 |
The kubeconfig configuration file owner is specified as root:root |
4.1.6 The --kubeconfig kubelet.conf file owner is specified as root:root |
kspm.host-security.kubelet-conf-owner-root |
| Strict file permissions are enforced for the kubelet configuration file | 4.1.9 Strict file permissions are enforced for the config.yaml kubelet configuration file |
kspm.host-security.kubelet-config-permissions-600 |
The kubelet configuration file owner is specified as root:root |
4.1.10 The config.yaml kubelet configuration file owner is specified as root:root |
kspm.host-security.kubelet-config-owner-root |
| Anonymous requests to the kubelet server are disabled | 4.2.1 The --anonymous-auth argument is set to false |
kspm.host-security.anonymous-auth-false |
| Only explicitly authorized requests to the kubelet server are allowed | 4.2.2 The --authorization-mode argument is not set to AlwaysAllow |
kspm.host-security.auth-mode-not-always-allow |
| Kubelet authentication with certificates is enabled | 4.2.3 The --client-ca-file argument is set correctly |
kspm.host-security.client-ca-file-set |
Kubelet is permitted to manage iptables |
4.2.6 The --make-iptables-util-chains argument is set to true |
kspm.host-security.make-iptables-util-chains-true |
| Kubelet client certificate rotation is enabled | 4.2.10 The --rotate-certificates argument is not set to false |
kspm.host-security.rotate-certs-not-false |