Systematic Enforcement of CIS-Aligned Security Controls for Kubernetes Worker Nodes

Article Sidebar

cover ESISCS vol.1 no.1
PDF
Published: Aug 31, 2023
DOI: https://doi.org/10.58812/esiscs.v1i01.864
Keywords:
Automation; CIS compliance; Drift detection; Linux hardening; Worker node security

Main Article Content

Balaramakrishna Alti
AVP Systems Engineering, USA

Abstract

Securing Kubernetes worker nodes remains a persistent challenge in enterprise environments due to configuration drift, inconsistent operating system hardening, and limited visibility into runtime security posture. While the Center for Internet Security (CIS) provides benchmark recommendations for Kubernetes and Linux systems, manual enforcement of these controls is error-prone and difficult to sustain at scale. This paper presents an automated approach for hardening Kubernetes worker nodes by integrating CIS benchmark compliance with Linux security controls using configuration management automation. The proposed framework focuses on repeatable enforcement, continuous compliance validation, and operational stability. We describe the system architecture, control mapping strategy, and automation workflow, and evaluate its impact on configuration compliance and operational availability in a controlled Kubernetes environment. Results demonstrate measurable improvements in benchmark compliance while maintaining cluster stability, highlighting the feasibility of automation-driven security hardening for Kubernetes worker nodes.

Article Details

How to Cite
Alti, B. (2023). Systematic Enforcement of CIS-Aligned Security Controls for Kubernetes Worker Nodes. The Eastasouth Journal of Information System and Computer Science, 1(01), 156–168. https://doi.org/10.58812/esiscs.v1i01.864
Issue
Vol. 1 No. 01 (2023): The Eastasouth Journal of Information System and Computer Science (ESISCS)
Section
Articles
Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

References

Kubernetes Documentation, Kubernetes Components. Cloud Native Computing Foundation, 2024.

S. B. Mohan and R. Buyya, “Secure containerized applications in cloud environments,” IEEE Cloud Comput., vol. 6, no. 4, pp. 32–41, 2019.

C. Pahl, “Containerization and the paas cloud,” IEEE Cloud Comput., vol. 2, no. 3, pp. 24–31, 2015.

Open Policy Agent, Policy-Based Control for Cloud Native Environments. OPA Documentation, 2023.

IEEE Standards Association, “IEEE Standard for Security in Cloud Computing,” IEEE Std 2302-2021, 2021.

Cloud Native Security Conference Proceedings, “Advances in Kubernetes Security,” CNCF, 2022.

Kubernetes Documentation, Security Best Practices. Cloud Native Computing Foundation, 2024.

CNCF, “Cloud Native Security Whitepaper,” 2022.

Kubernetes Documentation, Kubelet Configuration. Cloud Native Computing Foundation, 2024.

National Institute of Standards and Technology, Application Container Security Guid. NIST SP 800-190, 2017.

A. Shankar et al., “Security challenges in container-based virtualization,” IEEE Int. Conf. Cloud Comput., pp. 1–8, 2019.

Linux Foundation, Linux Security Modules: SELinux and AppArmor. Linux Foundation Documentation, 2023.

R. Richardson and M. North, “Ransomware and infrastructure misconfigurations,” IEEE Secur. Priv., vol. 18, no. 3, pp. 78–82, 2020.

HashiCorp, Infrastructure as Code Security. HashiCorp Whitepaper, 2023.

Center for Internet Security, CIS Kubernetes Benchmark, CIS. USA: East Greenbush, NY, 2023.

Center for Internet Security, CIS Benchmark for Linux, CIS. USA: East Greenbush, NY, 2023.

National Institute of Standards and Technology, Guide to General Server Security. NIST SP 800-123, 2008.

OWASP Foundation, OWASP Kubernetes Top Ten. OWASP Project Documentation, 2023.

Docker Inc, Docker Security. Docker Documentation, 2023.

Amazon Web Services, Security Best Practices for Kubernetes. AWS Whitepaper, 2023.

S. Zanero, “Monitoring and protecting containers at runtime,” IEEE Secur. Priv., vol. 17, no. 5, pp. 72–76, 2019.

A. P. Silva et al, “Evaluating container runtime isolation mechanisms,” IEEE Trans. Cloud Comput., vol. 10, no. 1, pp. 215–228, 2022.

National Institute of Standards and Technology, Security and Privacy Controls for Information Systems and Organizations, NIST SP 80. 2020.

Red Hat, Securing Kubernetes Clusters. Red Hat Product Documentation, 2023.

Google Cloud, Harden Your Kubernetes Cluster. Google Cloud Architecture Center, 2023.

Microsoft Azure, Kubernetes Security Best Practices. Microsoft Learn, 2023.

B. Schneier, Applied Cryptography, 2nd ed. New York, NY, USA: USA: Wiley, 1996.

P. Jamshidi, C. Pahl, N. C. Mendonça, J. Lewis, and S. Tilkov, “Microservices: The journey so far and challenges ahead,” IEEE Softw., vol. 35, no. 3, pp. 24–35, 2018.

J. Lewis and M. Fowler, “Microservices: a definition of this new architectural term,” MartinFowler. com, vol. 25, no. 14–26, p. 12, 2014.

L. Bilge and T. Dumitraş, “Before we knew it: an empirical study of zero-day attacks in the real world,” in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 833–844.