* [Blog](https://www.paloaltonetworks.com/blog) * [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/) * [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/) * Reduce Your Risk with the... # Reduce Your Risk with the Kubernetes CIS Benchmark and Prisma Cloud [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-kubernetes-cis-benchmark%2F) [](https://twitter.com/share?text=Reduce+Your+Risk+with+the+Kubernetes+CIS+Benchmark+and+Prisma+Cloud&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-kubernetes-cis-benchmark%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-kubernetes-cis-benchmark%2F&title=Reduce+Your+Risk+with+the+Kubernetes+CIS+Benchmark+and+Prisma+Cloud&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/secure-kubernetes-cis-benchmark/&ts=markdown) \[\](mailto:?subject=Reduce Your Risk with the Kubernetes CIS Benchmark and Prisma Cloud) Link copied By [Derek Rogerson](https://www.paloaltonetworks.com/blog/author/derek-rogerson/?ts=markdown "Posts by Derek Rogerson") Sep 30, 2024 5 minutes [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown) [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown) [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown) [Containers](https://www.paloaltonetworks.com/blog/tag/containers/?ts=markdown) [Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown) * *How does Prisma Cloud implement the Kubernetes CIS Benchmark to secure Kubernetes environments?* * *What are the benefits of using Prisma Cloud for vulnerability management and compliance in Kubernetes deployments?* * *How does Prisma Cloud prioritize security alerts and guide remediation efforts to ensure Kubernetes compliance?* ![](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/audio-icon.svg) Shifting Left to Secure Your Kubernetes Environment *00:00* *00:00* Volume Slider 10s 10s 10s 10s Seek Slider ## Kubernetes CIS Benchmark and Prisma Cloud Validating Checks The first question most cloud-native customers ask is what can I do to reduce risk in my cloud estate? CIS Benchmarks provide consensus-oriented best practices for securely configuring systems. Prisma Cloud provides checks that validate the recommendations in the [Kubernetes CIS Benchmark](https://www.cisecurity.org/benchmark/kubernetes). Let's dive in. ## Detect and Fix Vulnerabilities in Your Kubernetes Environment Prisma Cloud by Palo Alto Networks by default scans images every 24 hours. Each Kubernetes CIS Benchmark issue that Prisma Cloud finds is graded with a score: critical, high, medium and low. The Prisma Cloud score lets you create Kubernetes compliance rules that take action depending on the severity of the possible outcomes. To be reasonably certain that your Kubernetes environment is secure, you should address all the critical and high-severity checks Prisma Cloud surfaces for review. To help protect your Kubernetes environment, Prisma Cloud will alert on all critical and high-severity checks by default. But don't worry about being overwhelmed with security alerts, as only a handful of checks are graded as critical or high severity. What's more, Prisma Cloud further [prioritizes](https://www.paloaltonetworks.com/blog/prisma-cloud/application-dna-prioritize-risks/?ts=markdown) those potential threats for you. If your Kubernetes environment is [exposed to the internet](https://www.paloaltonetworks.com/prisma/cloud/cloud-discovery-exposure-management?ts=markdown), for example, Prisma Cloud will alert you and prioritize security fixes to keep the environment secure and compliant with the Kubernetes CIS Benchmark. ## Continuous Image Scanning to Ensure Secure Kubernetes Deployments Prisma Cloud scans images early in the build and deployment phases of the application lifecycle and uses built-in Kubernetes CIS Benchmark validations through compliance checks. A finding that generates a compliance alert, like *"Image should be created with a non-root user"* for instance, can be remediated in the image build process. Prisma Cloud can even be configured to stop the build process by requiring the developer to remediate noncompliant images to continue. So, to follow our root-user example, whenever a developer attempts to build an image that doesn't define a non-root user account, the build process will be stopped to protect your Kubernetes environment according to Kubernetes CIS Benchmark ([and NSA/CISA](https://www.paloaltonetworks.com/resources/whitepapers/implementing-nsa-cisa?ts=markdown)) standards. ![Prisma Cloud can be configured to automatically fail a build with container images using root privileges.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-328631-1-1.png) Figure 1: Prisma Cloud can be configured to automatically fail a build with container images using root privileges. ## Secure and Complaint Container Images Across the Entire Lifecycle A challenge when scanning container registries is the wide variety of registries available. Some Kubernetes platforms, like Red Hat OpenShift (RHOS) and managed Kubernetes services in the cloud, include their own built-in registries. Other platforms have the flexibility to select from a variety of third-party registries. This diversity of registry choices and configurations highlights the need for a container image scanning tool like Prisma Cloud that seamlessly integrates with any registry type. Prisma Cloud offers security agility, providing you with a single, unified image scanning solution regardless of your Kubernetes cluster setup. ![Container image scans across the entire lifecycle of build, deploy and run with Prisma Cloud.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-328631-2-1.png) Figure 2: Container image scans across the entire lifecycle of build, deploy and run with Prisma Cloud. With Prisma Cloud repository and image scanning you get detection and prevention of vulnerabilities throughout the entire application lifecycle, while also prioritizing identified risks. Embed [vulnerability management](https://www.paloaltonetworks.com/prisma/cloud/vulnerability-management?ts=markdown) within any continuous integration (CI) process to ensure continuous monitoring, detection and mitigation of risks to hosts, images and functions. The Prisma Cloud security platform integrates our vulnerability detection with globally sourced threat intelligence and real-time environment data from your deployments, helping to focus on the most critical risks in your Kubernetes environment and keep you compliant with the Kubernetes CIS Benchmark. ![Container image registry scan results in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-328631-3-1.png) Figure 3: Container image registry scan results in Prisma Cloud ## Multicloud Kubernetes Compliance and Container Security Prisma Cloud offers comprehensive visibility and full lifecycle security across cloud service providers (CSPs) and platforms, including securing many different Kubernetes environments: * Amazon Elastic Kubernetes Service (Amazon EKS) * Google Kubernetes Engine (GKE) * Azure Kubernetes Service (AKS) * Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) * Alibaba Cloud Container Service for Kubernetes (ACK) * Red Hat OpenShift (RHOS) container platform ![Multicloud Kubernetes compliance policies in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/09/word-image-328631-4-1.png) Figure 4: Multicloud Kubernetes compliance policies in Prisma Cloud ## Meet Your Kubernetes CIS Benchmark Goals with Prisma Cloud Prisma Cloud by Palo Alto Networks is a Code to Cloud^TM^ platform that simplifies the adoption and validation of cloud security best practices outlined by Kubernetes CIS Benchmarks. With [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/kubernetes?ts=markdown), you'll benefit from hundreds of built-in, customizable security policies covering configurations, communications and more to ensure you're always compliant, regardless of which version of Kubernetes you run. ## Learn More Get the ultimate guide to containers and Kubernetes, an essential resource for understanding, implementing and mastering security in a containerized environment. [The Definitive Guide to Container Security](https://www.paloaltonetworks.com/resources/ebooks/container-security-definitive-guide?ts=markdown). And if you'd like to see how Prisma Cloud can address your Kubernetes CIS Benchmark goals, consider [booking a personalized demo](https://www.paloaltonetworks.com/prisma/cloud/request-a-prisma-cloud-demo?ts=markdown). *** ** * ** *** ## Related Blogs ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown) [#### 5 Best Practices To Help Secure Docker with Prisma Cloud](https://www.paloaltonetworks.com/blog/cloud-security/security-best-practices-docker/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown) [#### 4 Best Practices for Using Prisma Cloud with Alibaba Cloud](https://www.paloaltonetworks.com/blog/cloud-security/4-best-practices-for-using-prisma-cloud-with-alibaba-cloud/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown) [#### 5 Best Practices for Using Prisma Cloud with Oracle Cloud Infrastructure](https://www.paloaltonetworks.com/blog/cloud-security/security-best-practices-oracle-cloud-oci/) ### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud to SOC](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud-to-soc/?ts=markdown) [#### Introducing Cortex Cloud 2.0: Smarter Cloud Security for an AI-Driven World](https://www.paloaltonetworks.com/blog/cloud-security/cloud-security-platform-cortex-cloud-2-0/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud-Native Application Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown) [#### How Auto-Remediation Shifts the Odds in Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/auto-remediation-cnapp/) ### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown) [#### Taking Cloud Security from Visibility to Prevention with eBPF](https://www.paloaltonetworks.com/blog/cloud-security/ebpf-cloud-security-real-time-protection/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language