About this project
CIS Kubernetes Benchmark-aligned hardening baseline for AKS clusters — covering control plane configuration, RBAC, network policy, pod security standards, and runtime threat detection.
Background
Default AKS cluster configuration is not a security baseline. Out of the box, you get a functional cluster, not a hardened one. The gap between "running" and "secure" is significant: permissive RBAC, no network policy, no admission control, no runtime threat detection. The hardening baseline closes that gap systematically, starting from the CIS Kubernetes Benchmark and adapting it to AKS specifics.
Cilium as the network layer rather than the Azure CNI default was a deliberate choice — Cilium provides eBPF-based network policy enforcement with significantly more granularity than standard Kubernetes NetworkPolicy objects, and integrates with Hubble for network flow observability. Kyverno handles policy-as-code at the admission layer: every pod creation is evaluated against policies before it's scheduled. Falco monitors runtime behaviour and alerts on syscall anomalies that indicate compromise.
Trivy in the CI pipeline is the supply chain control: images are scanned for CVEs before they're deployed, and the pipeline blocks on critical findings. This shifts the security check left rather than discovering vulnerabilities in production. The full baseline is parameterised as Bicep so it can be applied consistently to new clusters and drift-checked against existing ones.
Highlights
- CIS Benchmark controls mapped to Bicep parameters and Kyverno policies
- Network policies enforced via Cilium — default-deny with explicit allow rules
- Falco runtime threat detection with alerting to Splunk
- Container image scanning in CI with Trivy — blocks on critical CVEs
- Pod Security Standards enforced at namespace level via admission controller