Deploy kube-bench as a Kubernetes Job on each node type (control plane, worker, etcd) using the provided manifest templates
Review the benchmark output for PASS, FAIL, and WARN findings across the CIS Kubernetes Benchmark sections
Prioritize findings in the Level 1 category as these represent baseline hardening with low operational impact
For each FAIL finding, consult the remediation text in the output and apply the recommended configuration change
Re-run kube-bench after remediation to confirm findings are resolved
Integrate kube-bench into a scheduled CI or cron job to detect configuration drift over time
Known gotchas
kube-bench must be run with sufficient privileges to read node configuration files; running with insufficient permissions produces false FAIL results for checks it cannot evaluate
Benchmark control IDs and remediation steps are version-specific; confirm the kube-bench version and the target Kubernetes version produce matching benchmark results
Some CIS Level 2 controls conflict with managed Kubernetes service defaults (e.g., cloud provider audit log configurations); understand which controls are not applicable before treating all FAILs as remediation targets
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp