From 1a1d96ffed8e6b5323664db58496646359e80edf Mon Sep 17 00:00:00 2001 From: Maciej Wal <1977132+Xata@users.noreply.github.com> Date: Sun, 22 Mar 2026 13:20:59 -0600 Subject: [PATCH] docs: add ENISA NIS2 reference to best practice intro Signed-off-by: Maciej Wal <1977132+Xata@users.noreply.github.com> --- .spelling | 6 +++++ content/docs/installation/best-practice.md | 28 +++++++++++++++------- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/.spelling b/.spelling index 0582addf88..0332db8105 100644 --- a/.spelling +++ b/.spelling @@ -129,6 +129,7 @@ ArgoCD Arsh ArtifactHUB ArtifactHub +APP.4.4 AzureDNS BasicConstraints Bullseye @@ -188,6 +189,7 @@ CryptoKey csi-driver csi-driver-spiffe Ctrl +cybersecurity DCO DHCP DNS01 @@ -212,6 +214,7 @@ EKS ELB Ed25519 Encrypter +ENISA Fargate FastDNS FreeIPA @@ -225,6 +228,7 @@ GKE GitOps github-actions gRPC +Grundschutz GSoC Gloo GoDaddy @@ -278,6 +282,7 @@ Makefile Makefiles NameCheap NGINX +NIS2 NLB NLBs NotIn @@ -594,6 +599,7 @@ v1.18.0. v1.19 v1.19.0 v1.19.1 +v1.2 v1.20.0 v1.19.2 v1.20.0 diff --git a/content/docs/installation/best-practice.md b/content/docs/installation/best-practice.md index d8782f8051..8b0c8b4c34 100644 --- a/content/docs/installation/best-practice.md +++ b/content/docs/installation/best-practice.md @@ -3,17 +3,27 @@ title: Best Practice description: | Learn about best practices for deploying cert-manager in production, and how to configure cert-manager to comply with popular security standards - such as those produced by the CIS, NSA, and BSI. + such as those produced by the CIS, NSA, BSI, and ENISA. --- -In this section you will learn how to configure cert-manager to comply with popular security standards such as -the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/), -the [NSA Kubernetes Hardening Guide](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF), or -the [BSI Kubernetes Security Recommendations](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf?__blob=publicationFile&v=2#page=475). - -And you will learn about best practices for deploying cert-manager in production; -such as those enforced by tools like [Datree and its built in rules](https://hub.datree.io/built-in-rules), -and those documented by the likes of [LearnKube in their "Kubernetes production best practices" checklist](https://learnkube.com/production-best-practices/). +In this section you will learn how to configure cert-manager to comply with popular security standards +and hardening guidelines for Kubernetes. The recommendations in this guide are informed by the +following standards: + +- [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/), published by the + Center for Internet Security, covering secure configuration of Kubernetes components including TLS, + RBAC, and network policies. +- [NSA/CISA Kubernetes Hardening Guide](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF) + (v1.2, August 2022), joint guidance from the United States National Security Agency and CISA on hardening + Kubernetes clusters against supply chain, threat actor, and insider risks. +- [BSI IT-Grundschutz Compendium](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf?__blob=publicationFile&v=2), + Germany's Federal Office for Information Security (BSI) baseline protection framework, including + module APP.4.4 for Kubernetes. +- [ENISA NIS2 Technical Implementation Guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance), + published by the EU Agency for Cybersecurity, providing practical guidance and standard mappings for + implementing the cybersecurity risk-management measures required by + [Commission Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R2690) + under the [NIS2 Directive (EU 2022/2555)](https://eur-lex.europa.eu/eli/dir/2022/2555). ## Overview