| 4.1.2 Ensure that the kubelet service file ownership is set to root:root | ACCESS CONTROL |
| 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root | ACCESS CONTROL |
| 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root | ACCESS CONTROL |
| 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root | ACCESS CONTROL |
| 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root | ACCESS CONTROL |
| 4.2.1 Ensure that the --anonymous-auth argument is set to false | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.3 Ensure that the --client-ca-file argument is set as appropriate | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.4 Verify that the --read-only-port argument is set to 0 | CONFIGURATION MANAGEMENT |
| 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | SYSTEM AND INFORMATION INTEGRITY |
| 4.2.6 Ensure that the --make-iptables-util-chains argument is set to true | CONFIGURATION MANAGEMENT |
| 4.2.7 Ensure that the --hostname-override argument is not set | CONFIGURATION MANAGEMENT |
| 4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.10 Ensure that the --rotate-certificates argument is not set to false | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | CONFIGURATION MANAGEMENT |
| 4.2.13 Ensure that a limit is set on pod PIDs | CONFIGURATION MANAGEMENT |
| 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.3 Minimize wildcard use in Roles and ClusterRoles | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| CIS_Kubernetes_v1.9.0_Level_1_Worker.audit from CIS Kubernetes Benchmark v1.9.0 | CONFIGURATION MANAGEMENT |
