| 1.2.12 Ensure that the admission control plugin ServiceAccount is set | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.13 Ensure that the admission control plugin NamespaceLifecycle is set | CONFIGURATION MANAGEMENT |
| 1.2.14 Ensure that the admission control plugin NodeRestriction is set | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Ensure that a unique Certificate Authority is used for etcd | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 3.2.2 Ensure that the audit policy covers key security concerns | AUDIT AND ACCOUNTABILITY |
| 5.2.7 Minimize the admission of root containers | ACCESS CONTROL |
| 5.2.10 Minimize the admission of containers with capabilities assigned | CONFIGURATION MANAGEMENT |
| 5.3.2 Ensure that all Namespaces have Network Policies defined | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.1 Prefer using secrets as files over secrets as environment variables | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.2 Consider external secret storage | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller | CONFIGURATION MANAGEMENT |
| 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | CONFIGURATION MANAGEMENT |
| 5.7.3 Apply Security Context to Your Pods and Containers | CONFIGURATION MANAGEMENT |
| 5.7.4 The default namespace should not be used | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| CIS_Kubernetes_v1.9.0_Level_2_Master.audit from CIS Kubernetes Benchmark v1.9.0 | CONFIGURATION MANAGEMENT |
