Self-Managed Kubernetes Security

Secure Your Self-Managed Clusters

Complete CIS Benchmark validation for vanilla Kubernetes with 83+ checks. Control plane, worker nodes, and policy security for kubeadm and bare-metal clusters.

Start Cluster Scan View All Platforms

Cluster Overview

Clusters

Master Nodes

Worker Nodes

CIS Checks

124

Critical4

Control plane issues

High8

Worker node issues

Built for Self-Managed Kubernetes

Full visibility into every component you manage

API

Server Security

All flags validated

etcd

Encryption

At-rest & transit

Kubelet

Hardening

Node-level security

CIS

v1.8.0

Full benchmark

Complete Self-Managed Kubernetes Security

From API server to kubelet, validate every component you control

Control Plane Security

Control Plane Score82

Full CIS validation

⚠ API Server3 issues

✓ etcdEncrypted

✓ Controller Manager✓

✓ Scheduler✓

Control Plane

Full Control Plane Security Validation

Complete CIS Benchmark validation for self-managed control plane components. Audit API server, etcd, controller-manager, and scheduler configurations.

API Server Security
Validate all kube-apiserver flags and configurations
etcd Security
Check etcd encryption, authentication, and backup
Controller & Scheduler
Audit controller-manager and scheduler security

Worker Nodes

Secure Nodes12

Passed all checks

Issues Found3

Kubelet misconfigurations

Critical1

Anonymous auth enabled

Container Runtime:containerd

Worker Nodes

Worker Node & Kubelet Security

Validate kubelet configurations, kernel parameters, and container runtime security on all worker nodes.

Kubelet Security
Check kubelet flags, authentication, and authorization
Node Hardening
Validate kernel parameters and OS-level security
Container Runtime
Audit containerd/Docker security configurations

CIS Benchmark v1.8.0

Total Checks

124

Passing

108

✓ Control Plane

45/48 checks passing

✓ Worker Nodes

28/32 checks passing

✓ Policies

35/44 checks passing

CIS Benchmark

Complete CIS Kubernetes Benchmark

Full coverage of CIS Kubernetes Benchmark v1.8.0. Every check for self-managed clusters including manual verification guidance.

All 124 Checks
Complete CIS v1.8.0 coverage for self-managed clusters
Automated + Manual
Automated checks with guidance for manual validations
Remediation Scripts
Ready-to-use scripts to fix common misconfigurations

CIS Kubernetes Benchmark v1.8.0

Complete coverage of all 124 CIS checks for self-managed clusters

Control Plane

API Server, etcd, Controller Manager, Scheduler configurations

Worker Nodes

Kubelet configuration, kernel parameters, file permissions

Policies

RBAC, Pod Security, Network Policies, Secrets management

Authentication

Service accounts, certificates, OIDC, webhook auth

Logging & Audit

Audit logging, log retention, monitoring configuration

Hardening

Encryption providers, admission controllers, security contexts

Frequently Asked Questions

Everything you need to know about self-managed Kubernetes security

TigerGate connects using kubeconfig with a ServiceAccount that has read-only cluster access. For control plane checks, you can also run our scanner directly on master nodes to validate local configurations and files.

Yes! TigerGate fully supports kubeadm-bootstrapped clusters. We validate kubeadm-specific configurations and file locations, including kubeadm config files, certificates, and kubelet configs.

TigerGate runs all CIS Kubernetes Benchmark control plane checks including: API server flags (anonymous-auth, audit-log, encryption-provider), etcd (encryption, auth, peer-certs), controller-manager (service-account-private-key, root-ca-file), and scheduler (profiling, bind-address).

Yes! TigerGate validates CIS-required kernel parameters on worker nodes including sysctl settings for network security, kernel hardening, and container isolation. We provide remediation scripts for non-compliant nodes.

Yes! TigerGate can run as an in-cluster agent for air-gapped environments. You can also export scan results to files for offline analysis. We provide container images for private registries.

Ready to Secure Your Self-Managed Clusters?

Start with a free CIS Benchmark scan. Full control plane and worker node validation.

Start Cluster Scan Schedule Demo