Fortinet black logo

Online Help

Compliance Policy Configuration

Copy Link
Copy Doc ID cf00dcb1-0886-11ed-bb32-fa163e15d75b:669218

Compliance Policy Configuration

Compliance Policy Configuration

Auto Remediation

Compliance Configuration can be accessed through Policy Config > Compliance. There are three types of compliance policies supported by Container Protection:

CIS Kubernetes Benchmark version 1.5.1 applies to Kubernetes clusters version 1.15 on self-hosted sites and Azure Kubernetes Service.

CIS Kubernetes Benchmark version 1.6.1 applies to Kubernetes clusters version 1.16 and above on self-hosted sites and Azure Kubernetes Service.

CIS Benchmark for EKS only applies to Kubernetes clusters on Amazon Elastic Kubernetes Service.

CIS Benchmark for GKE only applies to Kubernetes clusters on Google Kubernetes Engine.

Click on any of the three CIS Benchmark tabs to access compliance policy configurations of that platform.

By default, when Kubernetes cluster is added to Container Protection, the compliance policies are automatically assigned to the cluster and no additional configuration will be needed.

Only the compliance policies that are enabled will be part of the compliance scan.

Compliance Policy Configuration

Follow the steps below to configure the Compliance Policies:

  1. Check your Kubernetes cluster version by using the CLI command: kubectl get nodes.
  2. Use the table below to determine which CIS Kubernetes Benchmark version supports your Kubernetes cluster.
  3. CIS Kubernetes Benchmark version

    Supported Kubernetes cluster version

    1.5.1 v1.15.x
    1.6.1 v1.16.x and up
  4. At the Compliance page, click on the Version drop box to select the supported CIS Kubernetes Benchmark version.
  5. If your Kubernetes cluster is on Amazon EKS or Google GKE, click on CIS Benchmark for EKS or CIS Benchmark for GKE.

  6. Click on the policy checkbox of the compliance policy.
  7. Click on the enable button to enable the policy or click disable button to disable the policy.
  8. Alternatively, click on View More to reveal General tab, then click Enabled toggled switch button to enable the policy.

    Note: To enable or disable "all" policies, click on the top checkbox next to the Policy Name Column, and click enable button to enable all policies, or disable button to disable all policies.

    Note: You can also manually scan Kubernetes cluster to see if it complies with the policy by running the stat command provided. Click on Audit tab, and run the CLI command in the Audit section to check it manually.

  9. Go to Remediation tab, click Auto Remediation toggle switch button to let Container Protection automatically fix and remediate the configuration vulnerability.
  10. Note: Not all compliance policies have the Auto Remediation option. Check the policy remediation detail in Cluster Detail page for instructions on manual remediation.

Auto Remediation

Success on Auto Remediation

When auto remediation successfully fix the non-compliant cluster setting.

Click on the link to the auto remediation logs to show what has been executed.

For example:

Failure on Auto Remediation

When auto remediation failed to fix the non-compliant cluster setting, manual remediation will be required.

Compliance Policy Configuration

Compliance Policy Configuration

Auto Remediation

Compliance Configuration can be accessed through Policy Config > Compliance. There are three types of compliance policies supported by Container Protection:

CIS Kubernetes Benchmark version 1.5.1 applies to Kubernetes clusters version 1.15 on self-hosted sites and Azure Kubernetes Service.

CIS Kubernetes Benchmark version 1.6.1 applies to Kubernetes clusters version 1.16 and above on self-hosted sites and Azure Kubernetes Service.

CIS Benchmark for EKS only applies to Kubernetes clusters on Amazon Elastic Kubernetes Service.

CIS Benchmark for GKE only applies to Kubernetes clusters on Google Kubernetes Engine.

Click on any of the three CIS Benchmark tabs to access compliance policy configurations of that platform.

By default, when Kubernetes cluster is added to Container Protection, the compliance policies are automatically assigned to the cluster and no additional configuration will be needed.

Only the compliance policies that are enabled will be part of the compliance scan.

Compliance Policy Configuration

Follow the steps below to configure the Compliance Policies:

  1. Check your Kubernetes cluster version by using the CLI command: kubectl get nodes.
  2. Use the table below to determine which CIS Kubernetes Benchmark version supports your Kubernetes cluster.
  3. CIS Kubernetes Benchmark version

    Supported Kubernetes cluster version

    1.5.1 v1.15.x
    1.6.1 v1.16.x and up
  4. At the Compliance page, click on the Version drop box to select the supported CIS Kubernetes Benchmark version.
  5. If your Kubernetes cluster is on Amazon EKS or Google GKE, click on CIS Benchmark for EKS or CIS Benchmark for GKE.

  6. Click on the policy checkbox of the compliance policy.
  7. Click on the enable button to enable the policy or click disable button to disable the policy.
  8. Alternatively, click on View More to reveal General tab, then click Enabled toggled switch button to enable the policy.

    Note: To enable or disable "all" policies, click on the top checkbox next to the Policy Name Column, and click enable button to enable all policies, or disable button to disable all policies.

    Note: You can also manually scan Kubernetes cluster to see if it complies with the policy by running the stat command provided. Click on Audit tab, and run the CLI command in the Audit section to check it manually.

  9. Go to Remediation tab, click Auto Remediation toggle switch button to let Container Protection automatically fix and remediate the configuration vulnerability.
  10. Note: Not all compliance policies have the Auto Remediation option. Check the policy remediation detail in Cluster Detail page for instructions on manual remediation.

Auto Remediation

Success on Auto Remediation

When auto remediation successfully fix the non-compliant cluster setting.

Click on the link to the auto remediation logs to show what has been executed.

For example:

Failure on Auto Remediation

When auto remediation failed to fix the non-compliant cluster setting, manual remediation will be required.