Self-assessment guide
This section provides guidance for assessing your vCluster deployment against the CIS Kubernetes Benchmark v1.10 for Kubernetes v1.31.
If you follow the hardening guide, your vCluster is configured to pass the applicable controls of the CIS Kubernetes Benchmark. However, proving compliance requires understanding what each control expects and how to verify it in your specific environment.
Traditional compliance tools such as kube-bench cannot be directly used with vCluster because:
- vCluster runs control plane components as containers, not system processes
- File paths and process structures differ from standard Kubernetes
- Many checks assume direct host access that doesn't exist in virtualized environments
The assessment guides provide manual verification methods specifically adapted for vCluster's architecture. Each control is evaluated and categorized to help you understand its applicability to your environment.
While tools such as kube-bench are commonly used to validate CIS benchmark compliance in traditional Kubernetes deployments, they cannot be directly applied to vCluster environments due to the fundamental differences in how vCluster operates. vCluster's virtualized control plane architecture means that many components run as containers within the host cluster rather than as traditional system processes, making standard automated assessment tools incompatible with this deployment model.
For vCluster environments, manual verification of controls and custom assessment approaches are necessary to ensure compliance with the benchmark requirements.
Assessment methodology​
Each control in the CIS Kubernetes Benchmark was tested against a vCluster configured according to the hardening guide. The testing methodology accounts for vCluster's unique architecture.
Where the standard CIS audit procedures don't work with vCluster, use modified commands specific to the vCluster environment. Each control receives one of three classifications:
-
PASS: The vCluster under test successfully passed the audit outlined in the benchmark. Your hardened configuration meets this security requirement.
-
NOT APPLICABLE: The control doesn't apply to vCluster due to its virtualized architecture. The remediation section explains why this control isn't relevant and how vCluster's design addresses the underlying security concern differently.
-
WARN: The control requires manual evaluation based on your specific use case or environment. These controls cannot be automatically verified because they depend on organizational policies, deployment context, or other factors that vary between installations. The guide ensures vCluster doesn't prevent implementation of these controls but doesn't automatically configure them.
Assessment sections​
The assessment sections provide detailed guidance for each area of the CIS Kubernetes Benchmark. The following table lists the count of security control classifications for each section.
| Assessment sections | PASS | WARN | NOT APPLICABLE |
|---|---|---|---|
| Control plane security configuration | 45 | 0 | 14 |
| etcd node configuration | 7 | 0 | 0 |
| Control plane configuration | 1 | 4 | 0 |
| Worker node security configuration | 0 | 0 | 24 |
| Kubernetes Policies | 11 | 24 | 0 |
Review the assessment sections and map them to your vCluster configuration to ensure that your hardened deployment follows security best practices, as well as is auditable and defensible in a compliance context.