Kubernetes security hardening checklist and audit automation based on CIS Benchmarks and production experience.
- Overview
- Quick Start
- Repository Structure
- Security Domains
- Audit Script
- Report Generator
- CI/CD Integration
- Templates
- CIS Benchmark Coverage
- SOC 2 Mapping
- Contributing
- Author
- License
- References
This repository provides a practical security baseline for Kubernetes clusters:
- Audit scripts to identify security gaps across six domains
- HTML/JSON report generation from audit results
- Checklists aligned to CIS Kubernetes Benchmark v1.8.0
- Hardened templates for NetworkPolicy, RBAC, and Pod security
- CI/CD integration via GitHub Actions with Trivy and secret detection
Developed from experience managing 43+ production workloads at 99.9%+ availability.
# Clone the repository
git clone https://github.com/mason5052/k8s-security-baseline.git
cd k8s-security-baseline
# Run the security audit against your cluster (requires kubectl context)
./scripts/audit-cluster.sh
# Generate an HTML report from audit output
./scripts/audit-cluster.sh | python3 scripts/generate-report.py \
--format html \
--output report.html
# Filter report to high and critical findings only
./scripts/audit-cluster.sh | python3 scripts/generate-report.py \
--format html \
--output report-high-critical.html \
--severity high,critical
# Generate JSON report for automation/SIEM integration
./scripts/audit-cluster.sh | python3 scripts/generate-report.py \
--format json \
--output report.json
# Run in demo mode (no cluster required)
python3 scripts/generate-report.py --format html --output demo-report.htmlk8s-security-baseline/
├── scripts/
│ ├── audit-cluster.sh # Automated bash audit across 6 security domains
│ └── generate-report.py # HTML/JSON report generator (--format, --severity)
├── checklists/
│ ├── control-plane.md # API server, etcd, audit logging, TLS (CIS 1.x, 3.x)
│ ├── worker-nodes.md # kubelet hardening, node security (CIS 4.x)
│ ├── pod-security.md # PSA enforcement, security contexts, capabilities
│ ├── network-security.md # NetworkPolicy, namespace isolation, Ingress TLS
│ ├── secrets.md # etcd encryption, ESO, Azure Key Vault, RBAC
│ └── policies.md # RBAC, Pod Security Standards, combined reference
├── templates/
│ ├── network-policy-default-deny.yaml # Default deny + explicit allow templates
│ └── rbac-hardened.yaml # Least-privilege RBAC + pod hardening
└── .github/
└── workflows/
└── security-audit.yml # CI: validate, Trivy scan, report generation, secret detection
API server authentication, etcd encryption at rest, audit logging configuration, TLS certificate management, admission controllers.
kubelet authentication/authorization, read-only port hardening, node restriction, kernel security, file permission hardening.
Pod Security Admission (PSA) enforcement, runAsNonRoot, capability dropping (drop: ALL),
readOnlyRootFilesystem, resource limits, image scanning with Trivy.
Default deny NetworkPolicy (ingress + egress), namespace isolation, Ingress TLS termination, egress controls, service mesh mTLS (Istio/Linkerd).
etcd EncryptionConfiguration, External Secrets Operator + Azure Key Vault integration, RBAC restrictions on secret access, secret rotation, CI/CD secret detection.
Least-privilege roles, service account restrictions, automountServiceAccountToken: false,
namespace isolation, wildcard permission auditing.
scripts/audit-cluster.sh checks all six domains automatically:
[PASS] API server anonymous auth is disabled
[PASS] Audit logging is configured
[FAIL] [HIGH] etcd is not encrypted at rest
[WARN] [MEDIUM] No NetworkPolicy found in namespace: staging
[PASS] Default deny NetworkPolicy in namespace: production
...
Summary: 14 passed, 2 failed, 3 warnings
Output format is structured for piping to generate-report.py.
scripts/generate-report.py produces formatted reports from audit output:
| Flag | Default | Description |
|---|---|---|
--input |
stdin | Audit output file (use - for stdin) |
--output |
security-report.html |
Output file path |
--format |
html |
Output format: html or json |
--severity |
all | Filter: critical, high, medium, low |
--title |
default | Custom report title |
HTML reports include a graded summary card (A/B/C/F) and a color-coded findings table.
The included GitHub Actions workflow (.github/workflows/security-audit.yml) runs on every push and PR:
| Job | What it does |
|---|---|
validate |
shellcheck, Python syntax, YAML validation |
trivy-scan |
IaC misconfiguration + secret scanning (SARIF to Security tab) |
generate-report |
Produces HTML/JSON artifact (downloadable from Actions) |
secret-detection |
gitleaks + detect-secrets across full commit history |
Ready-to-apply NetworkPolicy manifests:
- Default deny all ingress and egress
- DNS egress allow (required for cluster DNS)
- Same-namespace pod communication
- Monitoring namespace scraping
- Controlled external egress
- Namespace with
pod-security.kubernetes.io/enforce: restrictedlabel - Service account with
automountServiceAccountToken: false - Role with least-privilege resource access
- Pod spec with all security hardening applied
| CIS Section | Checklist | Coverage |
|---|---|---|
| 1.x - Control Plane Components | control-plane.md |
API Server, etcd, Controller Manager, Scheduler |
| 2.x - etcd | control-plane.md |
Encryption, access controls |
| 3.x - Control Plane Config | control-plane.md |
Audit logging, certificates |
| 4.x - Worker Nodes | worker-nodes.md |
kubelet, node hardening |
| 5.1 - RBAC | policies.md |
Least privilege, service accounts |
| 5.2 - Pod Security | pod-security.md |
PSA, security contexts, capabilities |
| 5.3 - Network Policies | network-security.md |
Default deny, namespace isolation |
| 5.4 - Secrets Management | secrets.md |
Encryption at rest, ESO, RBAC |
This security baseline maps directly to SOC 2 Type II Trust Services Criteria, enabling organizations to use these controls as audit-ready evidence.
| TSC | Criteria | Security Domain | Controls Covered |
|---|---|---|---|
| CC6.1 | Logical Access | RBAC and Policies | Least-privilege roles, service account restrictions, namespace isolation |
| CC6.6 | System Boundaries | Network Security | Default deny NetworkPolicy, namespace isolation, ingress TLS |
| CC6.7 | Data Transmission | Network Security | mTLS, TLS termination, encrypted ingress/egress |
| CC6.8 | Malicious Software | Pod Security | Container image scanning (Trivy), read-only root filesystem, non-root containers |
| CC7.1 | Detection Mechanisms | Audit and Monitoring | Audit logging, CI/CD secret detection, vulnerability scanning |
| CC7.2 | Anomaly Monitoring | Control Plane | API server audit logs, admission controllers, control plane hardening |
| CC8.1 | Change Management | CI/CD Integration | GitHub Actions validation, automated security gates, IaC review |
| A1.2 | Recovery Mechanisms | Secrets Management | etcd encryption at rest, secret rotation, backup procedures |
| C1.1 | Confidential Data | Secrets Management | Encrypted secrets, RBAC access controls, External Secrets Operator |
| P6.1 | Data Privacy | Network Security | Namespace isolation, egress controls, data boundary enforcement |
Each checklist in this repository documents which CIS controls map to the corresponding SOC 2 criteria, enabling audit-ready evidence collection.
Contributions are welcome. See CONTRIBUTING.md for guidelines.
Mason Kim -- Security Engineer
- GitHub: @mason5052
- LinkedIn: Mason Kim
- Portfolio: mason5052.github.io/mason-kim
- MS Cybersecurity, Georgia Institute of Technology
- CEH | Terraform Associate (004) | CASE Java
MIT License - see LICENSE for details.