A Comparison of Kubernetes Compliance Standards and Configuration Scanners


Contributors:
arXiv | 2026

Kubernetes has become the industry standard for orchestrating containers in microservice-based software architectures. While several hardening guidelines and scanning tools for securing Kubernetes clusters and deployments have emerged in recent years, their differing guidance and outputs often lead to inconsistent configuration and prioritization decisions. This work presents a systematic comparison of eight commonly used Kubernetes hardening guidelines. Through this comparison and the inclusion of best practices, we established a benchmark of 79 Kubernetes configuration recommendations and conducted the a structured empirical evaluation of ten popular static configuration scanning tools and their scoring outputs. Our findings reveal substantial disparities in the coverage of configuration issues across hardening guidelines and scanners, as well as inconsistencies in how configuration issues are scored and ranked by different scanners. These results highlight the need for more standardized, transparent, and consistent approaches to risk and severity assessment of Kubernetes configuration issues.

Meet the authors

  • Michael Krieger
    Michael Krieger
    Principal Researcher
  • Farooq Shaikh
    Farooq Shaikh
    Senior Researcher
  • Mario Kahlhofer
    Mario Kahlhofer
    Senior Researcher
See all publications

Get involved

We enable the best engineers and researchers to work on challenging problems and develop cutting-edge solutions ready to be applied to real-world use cases. If you are curious about the many exciting opportunities waiting for you.
Full wave bg