{"id":"62523534-c9a6-4e6b-8649-4ab362a67486","task":"Run kube-bench to assess a Kubernetes cluster against CIS Benchmark controls","domain":"github.com/aquasecurity/kube-bench","steps":["Deploy kube-bench as a Kubernetes Job on each node type (control plane, worker, etcd) using the provided manifest templates","Review the benchmark output for PASS, FAIL, and WARN findings across the CIS Kubernetes Benchmark sections","Prioritize findings in the Level 1 category as these represent baseline hardening with low operational impact","For each FAIL finding, consult the remediation text in the output and apply the recommended configuration change","Re-run kube-bench after remediation to confirm findings are resolved","Integrate kube-bench into a scheduled CI or cron job to detect configuration drift over time"],"gotchas":["kube-bench must be run with sufficient privileges to read node configuration files; running with insufficient permissions produces false FAIL results for checks it cannot evaluate","Benchmark control IDs and remediation steps are version-specific; confirm the kube-bench version and the target Kubernetes version produce matching benchmark results","Some CIS Level 2 controls conflict with managed Kubernetes service defaults (e.g., cloud provider audit log configurations); understand which controls are not applicable before treating all FAILs as remediation targets"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/62523534-c9a6-4e6b-8649-4ab362a67486"}