CIS Docker v1.6
38/46
controls pass
CIS Kubernetes v1.8
18/20
controls pass
Docker: Container Images (Section 4)
| # | Recommendation | Status |
|---|---|---|
| 4.1 | User for container created | ✅ |
| 4.2 | Trusted base images only | ✅ |
| 4.3 | Unnecessary packages not installed | ✅ |
| 4.4 | Images scanned and rebuilt | ⚠️ |
| 4.6 | HEALTHCHECK added | ✅ |
| 4.8 | setuid/setgid removed | ✅ |
| 4.9 | COPY used instead of ADD | ✅ |
| 4.10 | Secrets not in Dockerfiles | ✅ |
Docker: Container Runtime (Section 5)
| # | Recommendation | Status |
|---|---|---|
| 5.3 | Kernel capabilities restricted | ✅ |
| 5.4 | Privileged containers not used | ✅ |
| 5.5 | Sensitive host dirs not mounted | ✅ |
| 5.6 | SSH not running in containers | ✅ |
| 5.7 | Privileged ports not mapped | ✅ |
| 5.12 | Root filesystem read-only | ✅ |
| 5.21 | Default seccomp profile | ✅ |
| 5.25 | No additional privileges | ✅ |
| 5.28 | Default bridge not used | ✅ |
Kubernetes: Policies (Section 5)
| # | Recommendation | Status |
|---|---|---|
| 5.1.5 | Default service account not used | ✅ |
| 5.2.1 | Minimize privileged containers | ✅ |
| 5.2.4 | Minimize allowPrivilegeEscalation | ✅ |
| 5.2.5 | Minimize root containers | ✅ |
| 5.2.6 | Minimize NET_RAW capability | ✅ |
| 5.2.8 | Read-only root filesystem | ✅ |
| 5.3.1 | NetworkPolicies defined | ✅ |
| 5.3.2 | Default deny ingress | ✅ |
| 5.4.1 | Secrets instead of env vars | ✅ |
| 6.1 | Seccomp profile set | ✅ |
Legend
✅
Compliant
⚠️
Partial / Recommended
ℹ️
Host / Cluster responsibility