| CIS.1.2.1 | Ensure that the --anonymous-auth argument is set to false | Link |
| CIS.1.2.10 | Ensure that the admission control plugin EventRateLimit is set | Link |
| CIS.1.2.11 | Ensure that the admission control plugin AlwaysAdmit is not set | Link |
| CIS.1.2.12 | Ensure that the admission control plugin AlwaysPullImages is set | Link |
| CIS.1.2.13 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Link |
| CIS.1.2.14 | Ensure that the admission control plugin ServiceAccount is set | Link |
| CIS.1.2.15 | Ensure that the admission control plugin NamespaceLifecycle is set | Link |
| CIS.1.2.16 | Ensure that the admission control plugin PodSecurityPolicy is set | Link |
| CIS.1.2.17 | Ensure that the admission control plugin NodeRestriction is set | Link |
| CIS.1.4.1 | Ensure that the --profiling argument is set to false | Link |
| CIS.2.1 | Ensure that the --cert-file and --key-file arguments are set as appropriate | Link |
| CIS.2.2 | Ensure that the --client-cert-auth argument is set to true | Link |
| CIS.2.3 | Ensure that the --auto-tls argument is not set to true | Link |
| CIS.2.4 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Link |
| CIS.2.5 | Ensure that the --peer-client-cert-auth argument is set to true | Link |
| CIS.2.6 | Ensure that the --peer-auto-tls argument is not set to true | Link |
| CIS.2.7 | Ensure that a unique Certificate Authority is used for etcd | Link |
| CIS.5.1.1 | Ensure that the cluster-admin role is only used where required | Link |
| CIS.5.1.3 | Minimize wildcard use in Roles and ClusterRoles | Link |
| CIS.5.5.1 | Configure Image Provenance using ImagePolicyWebhook admission controller | Link |