Each layer is enforced — no “consider enabling this” items. Apply, verify, move on.
CIS Kubernetes Benchmark v1.8 — opinionated, defaulted.
Default-deny + per-namespace allowlists.
Containers that obey the platform’s rules.
Posture drift is detected, not assumed.
You get the Terraform module, the YAML bundles, the runbook, and a verification script that tells you what landed.
For EKS, GKE, or AKS. Cluster + node-group baseline with all CIS controls enabled by default.
Network policies, Kyverno policies, Falco rules, distroless base templates — ready to apply.
kube-bench, kube-hunter, Trivy scans run on a schedule and write results to your bucket of choice.
Run after apply: tells you per-control whether it landed, with reproductions for any failures.
12-page PDF for applying the kit to an existing cluster without breaking workloads.
If something isn’t answered here, ask in your intro email — we keep this list short on purpose.
Likely some. Workload hygiene (non-root, resource limits, read-only root) catches violations on day one. The runbook walks the per-namespace rollout so you can stage breakage.
Yes — the policy schemas are CNI-agnostic. L7 features specific to Cilium are clearly flagged as optional in the bundle.
The kit doesn’t install a service mesh. If you have one, the network policies are designed to compose with it. We include notes on mesh-specific gotchas.
Yes — audit log retention, RBAC review cadence, vulnerability scanning, and continuous posture monitoring map directly to common SOC 2 controls. Evidence templates included.
We do bespoke kits, too. Send a paragraph about the problem and we’ll come back inside 48 hours.