Compliance & Security Standards

Compliance Overview

Organizations running Kubernetes must comply with industry standards and regulations. CIS Benchmarks, PCI-DSS, HIPAA, SOC 2, and others define security requirements. This guide covers how to achieve and maintain compliance in Kubernetes clusters.

💡 Key Insight: Compliance is not a one-time checklist—it requires continuous monitoring, auditing, and improvement.

CIS Kubernetes Benchmark

The Center for Internet Security (CIS) Kubernetes Benchmark provides security best practices for Kubernetes clusters. It covers control plane security, worker node security, and policies.

Key CIS Control Areas

Category	Focus Areas
Control Plane	API server, etcd, scheduler, controller manager security
Worker Nodes	Kubelet configuration, OS security, runtime security
Policies	RBAC, network policies, pod security policies
Compliance	Audit logging, monitoring, vulnerability scanning

CIS Benchmark Scanning

kube-bench: Automated CIS benchmark checker
Kubesec: Static YAML analysis
Polaris: Configuration auditing and hardening

Run kube-bench

Quick CIS benchmark assessment:

Install: wget https://github.com/aquasecurity/kube-bench/releases/download/v0.7.0/kube-bench_linux_x86_64.tar.gz
Run: ./kube-bench run
Output: Pass/Fail/Warn for each CIS control

Compliance Frameworks

PCI-DSS (Payment Card Industry)

Required if processing payment card data:

Encryption for data at rest and in transit
Access control and RBAC
Audit logging and monitoring
Regular vulnerability scanning
Incident response procedures

HIPAA (Health Insurance Portability)

Required for healthcare applications:

Encryption of PHI (Protected Health Information)
Access controls and authentication
Audit logging and accountability
Data integrity controls
Disaster recovery and backup

SOC 2 (Service Organization Control)

For SaaS and service providers:

Security: Access controls, encryption, monitoring
Availability: Uptime SLAs, disaster recovery
Processing Integrity: Data accuracy and completeness
Confidentiality: Data protection controls
Privacy: Data handling and consent management

ISO 27001 (Information Security)

International information security standard:

Risk assessment and management
Security policies and procedures
Access control
Incident management
Continuous improvement

Automated Compliance Checking

Tools & Solutions

Tool	Purpose
Polaris	Audit configuration against best practices
kube-bench	CIS Kubernetes Benchmark automation
Kubesec	YAML security analysis
OPA/Gatekeeper	Policy as code for compliance enforcement
Falco	Runtime security and threat detection

Continuous Compliance with OPA

Use OPA (Open Policy Agent) for policy-as-code:

Define compliance rules in Rego language
Enforce policies at admission time
Audit existing resources
Generate compliance reports

Compliance Checklist

✓ Run CIS benchmark assessment (kube-bench)
✓ Remediate critical and high findings
✓ Implement RBAC with least privilege
✓ Enable encryption at rest (etcd, secrets)
✓ Enable audit logging for all API access
✓ Implement network policies
✓ Enable Pod Security Standards
✓ Scan images for vulnerabilities
✓ Implement admission controllers
✓ Enable runtime monitoring (Falco)
✓ Regular backup and DR testing
✓ Documented security procedures
✓ Quarterly compliance assessments
✓ Incident response plan