Is buildpacks CIS Kubernetes Benchmarks complaint

[DuncanCasteleyn]

I read somewhere that buildpacks are CIS Kubernetes Benchmarks complaint, but I'd like to confirm if this is true because i can't find this information on GitHub or https://buildpacks.io/, I might have missed something.

The website makes a statement to compliance, but not exactly what kind of compliance guidelines it is following.

Could anyone confirm if the benchmark is CIS Kubernetes or something else?

[natalieparellano]

I would love if someone more knowledgeable than me could chime in here - it might be worth digging into https://github.com/buildpacks-community/kpack as a Kubernetes-native buildpacks platform that uses unprivileged Kubernetes primitives to run buildpacks. I would think that the "unprivileged" aspect of kpack would help with compliance, but I would need to do a deeper dive into the CIS Kubernetes Benchmarks to be able to comment further.

In case it helps others, the benchmarks could be downloaded here after filling out a form: https://www.cisecurity.org/benchmark/software-supply-chain-security ...I had a quick glance through the document, but it is 300+ pages long so would require a bit of research. If someone already has context here, that could help for getting to the bottom of this question.

cc @tomkennedy513 @chenbh as kpack contributors, who might know more

[tomkennedy513]

kpack never set out to adhere to the CIS Kubernetes Benchmark specifically, so it's definitely possible that there are some things we aren't doing. I would have to look through that benchmark to validate that we are adhering to that benchmark at least in the places we can control. like Pod security levels and rbac. Most of the "unprivileged" work we have done is to follow the restricted Pod security standard