Compliance Configuration can be accessed through Policy Config > Compliance. There are three types of compliance policies supported by Container Protection:
CIS Kubernetes Benchmark version 1.5.1 applies to Kubernetes clusters version 1.15 on self-hosted sites and Azure Kubernetes Service.
CIS Kubernetes Benchmark version 1.6.1 applies to Kubernetes clusters version 1.16 and above on self-hosted sites and Azure Kubernetes Service.
CIS Benchmark for EKS only applies to Kubernetes clusters on Amazon Elastic Kubernetes Service.
CIS Benchmark for GKE only applies to Kubernetes clusters on Google Kubernetes Engine.
Click on any of the three CIS Benchmark tabs to access compliance policy configurations of that platform.
By default, when Kubernetes cluster is added to Container Protection, the compliance policies are automatically assigned to the cluster and no additional configuration will be needed.
Only the compliance policies that are enabled will be part of the compliance scan.
Follow the steps below to configure the Compliance Policies:
- Check your Kubernetes cluster version by using the CLI command:
kubectl get nodes.
- Use the table below to determine which CIS Kubernetes Benchmark version supports your Kubernetes cluster.
- At the Compliance page, click on the Version drop box to select the supported CIS Kubernetes Benchmark version.
- Click on the policy checkbox of the compliance policy.
- Click on the enable button to enable the policy or click disable button to disable the policy.
- Go to Remediation tab, click Auto Remediation toggle switch button to let Container Protection automatically fix and remediate the configuration vulnerability.
CIS Kubernetes Benchmark version
Supported Kubernetes cluster version
|1.6.1||v1.16.x and up|
If your Kubernetes cluster is on Amazon EKS or Google GKE, click on CIS Benchmark for EKS or CIS Benchmark for GKE.
Alternatively, click on View More to reveal General tab, then click Enabled toggled switch button to enable the policy.
Note: To enable or disable "all" policies, click on the top checkbox next to the Policy Name Column, and click enable button to enable all policies, or disable button to disable all policies.
Note: You can also manually scan Kubernetes cluster to see if it complies with the policy by running the
stat command provided. Click on Audit tab, and run the CLI command in the Audit section to check it manually.
Note: Not all compliance policies have the Auto Remediation option. Check the policy remediation detail in Cluster Detail page for instructions on manual remediation.
When auto remediation successfully fix the non-compliant cluster setting.
Click on the link to the auto remediation logs to show what has been executed.
When auto remediation failed to fix the non-compliant cluster setting, manual remediation will be required.