diff --git a/Dockerfile b/Dockerfile
index 7c31f12e0b5f31dcd7f4b7ac7664ba0737d8a5a2..f95db971d1e49634f00582fb0b3060e49de51ac0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,6 +17,8 @@ RUN apk --no-cache add procps
 # https://github.com/aquasecurity/kube-bench/issues/535
 RUN apk --no-cache add openssl
 
+ENV PATH=$PATH:/usr/local/mount-from-host/bin
+
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
 COPY entrypoint.sh .
 COPY cfg/ cfg/
diff --git a/README.md b/README.md
index d6a6c153ab99fe33e37b0e28d5e87ff8cbe5135e..f5e4a2a2c8e2b989a0026e2c69505f8e5dd8a963 100644
--- a/README.md
+++ b/README.md
@@ -131,16 +131,16 @@ You can avoid installing kube-bench on the host by running it inside a container
 docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest [master|node] --version 1.13
 ```
 
-> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
+> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
 
 ```
-docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest [master|node] 
+docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest [master|node] 
 ```
 
 You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
 
 ```
-docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yam -v $(which kubectl):/usr/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest [master|node]
+docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yam -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest [master|node]
 ```
 
 ### Running in a Kubernetes cluster
diff --git a/cmd/util.go b/cmd/util.go
index b079a5e76849cfbfb527c10a22e11463ac2ec328..da1444c05d0555eb4089e557f57f2d4e84a9954c 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -276,17 +276,17 @@ func multiWordReplace(s string, subname string, sub string) string {
 const missingKubectlKubeletMessage = `
 Unable to find the programs kubectl or kubelet in the PATH.
 These programs are used to determine which version of Kubernetes is running.
-Make sure the /usr/bin directory is mapped to the container, 
+Make sure the /usr/local/mount-from-host/bin directory is mapped to the container, 
 either in the job.yaml file, or Docker command.
 
 For job.yaml:
 ...
 - name: usr-bin
-  mountPath: /usr/bin
+  mountPath: /usr/local/mount-from-host/bin
 ...
 
 For docker command:
-   docker -v $(which kubectl):/usr/bin/kubectl ....
+   docker -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl ....
 
 Alternatively, you can specify the version with --version
    kube-bench --version <VERSION> ...
diff --git a/hack/debug.yaml b/hack/debug.yaml
index 9d6a998d454a64b0214001ef55f0903a31bb0aae..a73a2f6894ab6ea4bef99d5ca1b05a4bb7e59a75 100644
--- a/hack/debug.yaml
+++ b/hack/debug.yaml
@@ -12,6 +12,9 @@ spec:
       image: ubuntu
       command: ["/bin/bash", "-c", "--"]
       args: ["while true; do sleep 30; done;"]
+      env:
+        - name: PATH
+          value: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/mount-from-host/bin"
       volumeMounts:
         - name: var-lib-kubelet
           mountPath: /var/lib/kubelet
@@ -19,10 +22,10 @@ spec:
           mountPath: /etc/systemd
         - name: etc-kubernetes
           mountPath: /etc/kubernetes
-          # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+          # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
           # You can omit this mount if you specify --version as part of the command.
         - name: usr-bin
-          mountPath: /usr/bin
+          mountPath: /usr/local/mount-from-host/bin
         - name: kind-bin
           mountPath: /kind/bin
       resources:
diff --git a/hack/kind.yaml b/hack/kind.yaml
index ca06a87bfb0ca8f9d6e1a41282cbd1556e15dc9f..0cf3888d4257322e9cc988c3ac0f07337d4f4d31 100644
--- a/hack/kind.yaml
+++ b/hack/kind.yaml
@@ -23,10 +23,10 @@ spec:
               mountPath: /etc/systemd
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
-              # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
-              mountPath: /usr/bin
+              mountPath: /usr/local/mount-from-host/bin
             - name: kind-bin
               mountPath: /kind/bin
       restartPolicy: Never
diff --git a/integration/testdata/job-master.data b/integration/testdata/job-master.data
index 94b4742c769085c33cbba837591bf1e72c89e82a..e4c136d21b553ddc79bfd6e425228721b4116705 100644
--- a/integration/testdata/job-master.data
+++ b/integration/testdata/job-master.data
@@ -5,7 +5,7 @@
 [PASS] 1.1.3 Ensure that the --insecure-allow-any-token argument is not set (Not Scored)
 [PASS] 1.1.4 Ensure that the --kubelet-https argument is set to true (Scored)
 [PASS] 1.1.5 Ensure that the --insecure-bind-address argument is not set (Scored)
-[FAIL] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
+[PASS] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
 [PASS] 1.1.7 Ensure that the --secure-port argument is not set to 0 (Scored)
 [FAIL] 1.1.8 Ensure that the --profiling argument is set to false (Scored)
 [FAIL] 1.1.9 Ensure that the --repair-malformed-updates argument is set to false (Scored)
@@ -18,37 +18,37 @@
 [FAIL] 1.1.16 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
 [FAIL] 1.1.17 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)
 [FAIL] 1.1.18 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)
-[FAIL] 1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
+[PASS] 1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
 [PASS] 1.1.20 Ensure that the --token-auth-file parameter is not set (Scored)
 [FAIL] 1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)
-[FAIL] 1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)
+[PASS] 1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)
 [PASS] 1.1.23 Ensure that the --service-account-lookup argument is set to true (Scored)
 [FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
-[FAIL] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
-[FAIL] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
-[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
-[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
-[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
+[PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
+[PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
+[FAIL] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
+[PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
+[PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
+[PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
 [WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
-[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
-[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
+[PASS] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
+[PASS] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
 [FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
 [WARN] 1.1.35 Ensure that the encryption provider is set to aescbc (Scored)
 [FAIL] 1.1.36 Ensure that the admission control plugin EventRateLimit is set (Scored)
 [PASS] 1.1.37a Ensure that the AdvancedAuditing argument is not set to false (Scored)
 [FAIL] 1.1.37b Ensure that the AdvancedAuditing argument is not set to false (Scored)
 [PASS] 1.1.38 Ensure that the --request-timeout argument is set as appropriate (Scored)
-[FAIL] 1.1.39 Ensure that the --authorization-mode argument includes RBAC (Scored)
+[PASS] 1.1.39 Ensure that the --authorization-mode argument includes RBAC (Scored)
 [INFO] 1.2 Scheduler
 [FAIL] 1.2.1 Ensure that the --profiling argument is set to false (Scored)
 [PASS] 1.2.2 Ensure that the --address argument is set to 127.0.0.1 (Scored)
 [INFO] 1.3 Controller Manager
 [FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
 [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
-[FAIL] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
-[FAIL] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
-[FAIL] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored)
+[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
+[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
+[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored)
 [FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
 [PASS] 1.3.7 Ensure that the --address argument is set to 127.0.0.1 (Scored)
 [INFO] 1.4 Configuration Files
@@ -62,7 +62,7 @@
 [PASS] 1.4.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored)
 [WARN] 1.4.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)
 [WARN] 1.4.10 Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)
-[FAIL] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
+[PASS] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
 [FAIL] 1.4.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
 [PASS] 1.4.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)
 [PASS] 1.4.14 Ensure that the admin.conf file ownership is set to root:root (Scored)
@@ -74,11 +74,11 @@
 [WARN] 1.4.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
 [WARN] 1.4.21 Ensure that the Kubernetes PKI key file permissions are set to 600 or more restrictive (Scored)
 [INFO] 1.5 etcd
-[FAIL] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
-[FAIL] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored)
+[PASS] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
+[PASS] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored)
 [PASS] 1.5.3 Ensure that the --auto-tls argument is not set to true (Scored)
-[FAIL] 1.5.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)
-[FAIL] 1.5.5 Ensure that the --peer-client-cert-auth argument is set to true (Scored)
+[PASS] 1.5.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)
+[PASS] 1.5.5 Ensure that the --peer-client-cert-auth argument is set to true (Scored)
 [PASS] 1.5.6 Ensure that the --peer-auto-tls argument is not set to true (Scored)
 [WARN] 1.5.7 Ensure that a unique Certificate Authority is used for etcd (Not Scored)
 [INFO] 1.6 General Security Primitives
@@ -104,10 +104,6 @@
 on the master node and set the below parameter.
 --anonymous-auth=false
 
-1.1.6 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-apiserver.yaml on the master node and set the below parameter.
---insecure-port=0
-
 1.1.8 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the below parameter.
 --profiling=false
@@ -145,24 +141,12 @@ on the master node and set the --audit-log-maxsize parameter to an
 appropriate size in MB. For example, to set it as 100 MB:
 --audit-log-maxsize=100
 
-1.1.19 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --authorization-mode parameter to
-values other than AlwaysAllow. One such example could be as below.
---authorization-mode=RBAC
-
 1.1.21 Follow the Kubernetes documentation and setup the TLS connection between the
 apiserver and kubelets. Then, edit the API server pod specification file
 /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority
 parameter to the path to the cert file for the certificate authority.
 --kubelet-certificate-authority=<ca-string>
 
-1.1.22 Follow the Kubernetes documentation and set up the TLS connection between the
-apiserver and kubelets. Then, edit API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
-kubelet client certificate and key parameters as below.
---kubelet-client-certificate=<path/to/client-certificate-file>
---kubelet-client-key=<path/to/client-key-file>
-
 1.1.24 Follow the documentation and create Pod Security Policy objects as per your environment.
 Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the --enable-admission-plugins parameter to a
@@ -170,51 +154,16 @@ value that includes PodSecurityPolicy :
 --enable-admission-plugins=...,PodSecurityPolicy,...
 Then restart the API Server.
 
-1.1.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --service-account-key-file parameter
-to the public key file for service accounts:
---service-account-key-file=<filename>
-
-1.1.26 Follow the Kubernetes documentation and set up the TLS connection between the
-apiserver and etcd. Then, edit the API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
-certificate and key file parameters.
---etcd-certfile=<path/to/client-certificate-file>
---etcd-keyfile=<path/to/client-key-file>
-
-1.1.28 Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the TLS certificate and private key file
-parameters.
---tls-cert-file=<path/to/tls-certificate-file>
---tls-private-key-file=<path/to/tls-key-file>
-
-1.1.29 Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
+1.1.27 Follow the documentation and create ServiceAccount objects as per your environment.
 Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the client certificate authority file.
---client-ca-file=<path/to/client-ca-file>
-
-1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
-apiserver and etcd. Then, edit the API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
-certificate authority file parameter.
---etcd-cafile=<path/to/ca-file>
+on the master node and set the --enable-admission-plugins parameter to a
+value that includes ServiceAccount.
+--enable-admission-plugins=...,ServiceAccount,...
 
 1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the below parameter.
 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
 
-1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --authorization-mode parameter to a
-value that includes Node.
---authorization-mode=Node,RBAC
-
-1.1.33 Follow the Kubernetes documentation and configure NodeRestriction plug-in on
-kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to a
-value that includes NodeRestriction.
---enable-admission-plugins=...,NodeRestriction,...
-
 1.1.34 [Manual test]
 Follow the Kubernetes documentation and configure a EncryptionConfig file.
 Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the
@@ -248,8 +197,6 @@ configuration file. Then, edit the API server pod specification file
 and set the below parameters.
 --audit-policy-file=/etc/kubernetes/audit-policy.yaml
 
-1.1.39 Edit the API server pod specification file kube-apiserver on the master node and set the --authorization-mode parameter to a value that includes RBAC, for example: --authorization-mode=Node,RBAC
-
 1.2.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
 file on the master node and set the below parameter.
 --profiling=false
@@ -262,20 +209,6 @@ on the master node and set the --terminated-pod-gc-threshold to an appropriate t
 on the master node and set the below parameter.
 --profiling=false
 
-1.3.3 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node to set the below parameter.
---use-service-account-credentials=true
-
-1.3.4 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the --service-account-private-
-key-file parameter to the private key file for service accounts.
---service-account-private-key-file=<filename>
-
-1.3.5 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the --root-ca-file parameter to
-the certificate bundle file.
---root-ca-file=<path/to/file>
-
 1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
 controller-manager.yaml on the master node and set the --feature-gates parameter to
 include RotateKubeletServerCertificate=true.
@@ -291,12 +224,6 @@ Run the below command (based on the file location on your system) on the master
 For example,
 chown root:root <path/to/cni/files>
 
-1.4.11 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
-from the below command:
-ps -ef | grep etcd
-Run the below command (based on the etcd data directory found above). For example,
-chmod 700 /var/lib/etcd
-
 1.4.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
 from the below command:
 ps -ef | grep etcd
@@ -315,26 +242,6 @@ For example, chmod -R 644 /etc/kubernetes/pki/*.crt
 Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 600 /etc/kubernetes/pki/*.key
 
-1.5.1 Follow the etcd service documentation and configure TLS encryption.
-Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
-master node and set the below parameters.
---ca-file=</path/to/ca-file>
---key-file=</path/to/key-file>
-
-1.5.2 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
-node and set the below parameter.
---client-cert-auth="true"
-
-1.5.4 Follow the etcd service documentation and configure peer TLS encryption as appropriate
-for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
-master node and set the below parameters.
---peer-client-file=</path/to/peer-cert-file>
---peer-key-file=</path/to/peer-key-file>
-
-1.5.5 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
-node and set the below parameter.
---peer-client-cert-auth=true
-
 1.5.7 [Manual test]
 Follow the etcd documentation and create a dedicated certificate authority setup for the
 etcd service.
@@ -420,7 +327,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
 
 
 == Summary ==
-30 checks PASS
-36 checks FAIL
+48 checks PASS
+18 checks FAIL
 25 checks WARN
 1 checks INFO
\ No newline at end of file
diff --git a/integration/testdata/job.data b/integration/testdata/job.data
index 1244a50e6f6e643e26e995a1ef0bb1d573bac5b1..7d2319354000f8715c74af0e11d68262a03f6725 100644
--- a/integration/testdata/job.data
+++ b/integration/testdata/job.data
@@ -5,7 +5,7 @@
 [PASS] 1.1.3 Ensure that the --insecure-allow-any-token argument is not set (Not Scored)
 [PASS] 1.1.4 Ensure that the --kubelet-https argument is set to true (Scored)
 [PASS] 1.1.5 Ensure that the --insecure-bind-address argument is not set (Scored)
-[FAIL] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
+[PASS] 1.1.6 Ensure that the --insecure-port argument is set to 0 (Scored)
 [PASS] 1.1.7 Ensure that the --secure-port argument is not set to 0 (Scored)
 [FAIL] 1.1.8 Ensure that the --profiling argument is set to false (Scored)
 [FAIL] 1.1.9 Ensure that the --repair-malformed-updates argument is set to false (Scored)
@@ -18,37 +18,37 @@
 [FAIL] 1.1.16 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
 [FAIL] 1.1.17 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)
 [FAIL] 1.1.18 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)
-[FAIL] 1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
+[PASS] 1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
 [PASS] 1.1.20 Ensure that the --token-auth-file parameter is not set (Scored)
 [FAIL] 1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)
-[FAIL] 1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)
+[PASS] 1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)
 [PASS] 1.1.23 Ensure that the --service-account-lookup argument is set to true (Scored)
 [FAIL] 1.1.24 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
-[FAIL] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
-[FAIL] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
-[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
-[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
-[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
+[PASS] 1.1.25 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
+[PASS] 1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
+[FAIL] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
+[PASS] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
+[PASS] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
+[PASS] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
 [WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
-[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
-[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
+[PASS] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
+[PASS] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
 [FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
 [WARN] 1.1.35 Ensure that the encryption provider is set to aescbc (Scored)
 [FAIL] 1.1.36 Ensure that the admission control plugin EventRateLimit is set (Scored)
 [PASS] 1.1.37a Ensure that the AdvancedAuditing argument is not set to false (Scored)
 [FAIL] 1.1.37b Ensure that the AdvancedAuditing argument is not set to false (Scored)
 [PASS] 1.1.38 Ensure that the --request-timeout argument is set as appropriate (Scored)
-[FAIL] 1.1.39 Ensure that the --authorization-mode argument includes RBAC (Scored)
+[PASS] 1.1.39 Ensure that the --authorization-mode argument includes RBAC (Scored)
 [INFO] 1.2 Scheduler
 [FAIL] 1.2.1 Ensure that the --profiling argument is set to false (Scored)
 [PASS] 1.2.2 Ensure that the --address argument is set to 127.0.0.1 (Scored)
 [INFO] 1.3 Controller Manager
 [FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
 [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
-[FAIL] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
-[FAIL] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
-[FAIL] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored)
+[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
+[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
+[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored)
 [FAIL] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
 [PASS] 1.3.7 Ensure that the --address argument is set to 127.0.0.1 (Scored)
 [INFO] 1.4 Configuration Files
@@ -62,7 +62,7 @@
 [PASS] 1.4.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored)
 [WARN] 1.4.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)
 [WARN] 1.4.10 Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)
-[FAIL] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
+[PASS] 1.4.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
 [FAIL] 1.4.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
 [PASS] 1.4.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)
 [PASS] 1.4.14 Ensure that the admin.conf file ownership is set to root:root (Scored)
@@ -74,11 +74,11 @@
 [WARN] 1.4.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
 [WARN] 1.4.21 Ensure that the Kubernetes PKI key file permissions are set to 600 or more restrictive (Scored)
 [INFO] 1.5 etcd
-[FAIL] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
-[FAIL] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored)
+[PASS] 1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
+[PASS] 1.5.2 Ensure that the --client-cert-auth argument is set to true (Scored)
 [PASS] 1.5.3 Ensure that the --auto-tls argument is not set to true (Scored)
-[FAIL] 1.5.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)
-[FAIL] 1.5.5 Ensure that the --peer-client-cert-auth argument is set to true (Scored)
+[PASS] 1.5.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)
+[PASS] 1.5.5 Ensure that the --peer-client-cert-auth argument is set to true (Scored)
 [PASS] 1.5.6 Ensure that the --peer-auto-tls argument is not set to true (Scored)
 [WARN] 1.5.7 Ensure that a unique Certificate Authority is used for etcd (Not Scored)
 [INFO] 1.6 General Security Primitives
@@ -104,10 +104,6 @@
 on the master node and set the below parameter.
 --anonymous-auth=false
 
-1.1.6 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-apiserver.yaml on the master node and set the below parameter.
---insecure-port=0
-
 1.1.8 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the below parameter.
 --profiling=false
@@ -145,24 +141,12 @@ on the master node and set the --audit-log-maxsize parameter to an
 appropriate size in MB. For example, to set it as 100 MB:
 --audit-log-maxsize=100
 
-1.1.19 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --authorization-mode parameter to
-values other than AlwaysAllow. One such example could be as below.
---authorization-mode=RBAC
-
 1.1.21 Follow the Kubernetes documentation and setup the TLS connection between the
 apiserver and kubelets. Then, edit the API server pod specification file
 /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --kubelet-certificate-authority
 parameter to the path to the cert file for the certificate authority.
 --kubelet-certificate-authority=<ca-string>
 
-1.1.22 Follow the Kubernetes documentation and set up the TLS connection between the
-apiserver and kubelets. Then, edit API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
-kubelet client certificate and key parameters as below.
---kubelet-client-certificate=<path/to/client-certificate-file>
---kubelet-client-key=<path/to/client-key-file>
-
 1.1.24 Follow the documentation and create Pod Security Policy objects as per your environment.
 Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the --enable-admission-plugins parameter to a
@@ -170,51 +154,16 @@ value that includes PodSecurityPolicy :
 --enable-admission-plugins=...,PodSecurityPolicy,...
 Then restart the API Server.
 
-1.1.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --service-account-key-file parameter
-to the public key file for service accounts:
---service-account-key-file=<filename>
-
-1.1.26 Follow the Kubernetes documentation and set up the TLS connection between the
-apiserver and etcd. Then, edit the API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
-certificate and key file parameters.
---etcd-certfile=<path/to/client-certificate-file>
---etcd-keyfile=<path/to/client-key-file>
-
-1.1.28 Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
+1.1.27 Follow the documentation and create ServiceAccount objects as per your environment.
 Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the TLS certificate and private key file
-parameters.
---tls-cert-file=<path/to/tls-certificate-file>
---tls-private-key-file=<path/to/tls-key-file>
-
-1.1.29 Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
-Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the client certificate authority file.
---client-ca-file=<path/to/client-ca-file>
-
-1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
-apiserver and etcd. Then, edit the API server pod specification file
-/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
-certificate authority file parameter.
---etcd-cafile=<path/to/ca-file>
+on the master node and set the --enable-admission-plugins parameter to a
+value that includes ServiceAccount.
+--enable-admission-plugins=...,ServiceAccount,...
 
 1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
 on the master node and set the below parameter.
 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
 
-1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --authorization-mode parameter to a
-value that includes Node.
---authorization-mode=Node,RBAC
-
-1.1.33 Follow the Kubernetes documentation and configure NodeRestriction plug-in on
-kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the --enable-admission-plugins parameter to a
-value that includes NodeRestriction.
---enable-admission-plugins=...,NodeRestriction,...
-
 1.1.34 [Manual test]
 Follow the Kubernetes documentation and configure a EncryptionConfig file.
 Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the
@@ -248,8 +197,6 @@ configuration file. Then, edit the API server pod specification file
 and set the below parameters.
 --audit-policy-file=/etc/kubernetes/audit-policy.yaml
 
-1.1.39 Edit the API server pod specification file kube-apiserver on the master node and set the --authorization-mode parameter to a value that includes RBAC, for example: --authorization-mode=Node,RBAC
-
 1.2.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml
 file on the master node and set the below parameter.
 --profiling=false
@@ -262,20 +209,6 @@ on the master node and set the --terminated-pod-gc-threshold to an appropriate t
 on the master node and set the below parameter.
 --profiling=false
 
-1.3.3 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node to set the below parameter.
---use-service-account-credentials=true
-
-1.3.4 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the --service-account-private-
-key-file parameter to the private key file for service accounts.
---service-account-private-key-file=<filename>
-
-1.3.5 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
-on the master node and set the --root-ca-file parameter to
-the certificate bundle file.
---root-ca-file=<path/to/file>
-
 1.3.6 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
 controller-manager.yaml on the master node and set the --feature-gates parameter to
 include RotateKubeletServerCertificate=true.
@@ -291,12 +224,6 @@ Run the below command (based on the file location on your system) on the master
 For example,
 chown root:root <path/to/cni/files>
 
-1.4.11 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
-from the below command:
-ps -ef | grep etcd
-Run the below command (based on the etcd data directory found above). For example,
-chmod 700 /var/lib/etcd
-
 1.4.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
 from the below command:
 ps -ef | grep etcd
@@ -315,26 +242,6 @@ For example, chmod -R 644 /etc/kubernetes/pki/*.crt
 Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 600 /etc/kubernetes/pki/*.key
 
-1.5.1 Follow the etcd service documentation and configure TLS encryption.
-Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
-master node and set the below parameters.
---ca-file=</path/to/ca-file>
---key-file=</path/to/key-file>
-
-1.5.2 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
-node and set the below parameter.
---client-cert-auth="true"
-
-1.5.4 Follow the etcd service documentation and configure peer TLS encryption as appropriate
-for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
-master node and set the below parameters.
---peer-client-file=</path/to/peer-cert-file>
---peer-key-file=</path/to/peer-key-file>
-
-1.5.5 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
-node and set the below parameter.
---peer-client-cert-auth=true
-
 1.5.7 [Manual test]
 Follow the etcd documentation and create a dedicated certificate authority setup for the
 etcd service.
@@ -420,8 +327,8 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
 
 
 == Summary ==
-30 checks PASS
-36 checks FAIL
+48 checks PASS
+18 checks FAIL
 25 checks WARN
 1 checks INFO
 [INFO] 2 Worker Node Security Configuration
diff --git a/job-master.yaml b/job-master.yaml
index 27cecb2472d9fe1581c8b77de5712649b03e2061..ad6be4037dc82e417feeb06747512a6bcb5979c7 100644
--- a/job-master.yaml
+++ b/job-master.yaml
@@ -24,10 +24,10 @@ spec:
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
               readOnly: true
-              # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
-              mountPath: /usr/bin
+              mountPath: /usr/local/mount-from-host/bin
               readOnly: true
       restartPolicy: Never
       volumes:
diff --git a/job-node.yaml b/job-node.yaml
index b9133e98c3cd0fee120c8080d7706e048c6f016f..7160f4ad13627d9cecdffa8846a0a72223db8f11 100644
--- a/job-node.yaml
+++ b/job-node.yaml
@@ -21,10 +21,10 @@ spec:
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
               readOnly: true
-              # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
-              mountPath: /usr/bin
+              mountPath: /usr/local/mount-from-host/bin
               readOnly: true
       restartPolicy: Never
       volumes:
diff --git a/job.yaml b/job.yaml
index 5f096510f12262115d8daefd7765744f5bb4c1bb..ec42ba16c2559579c56dce2b1989f2b7f26a296d 100644
--- a/job.yaml
+++ b/job.yaml
@@ -27,10 +27,10 @@ spec:
             - name: etc-kubernetes
               mountPath: /etc/kubernetes
               readOnly: true
-              # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
               # You can omit this mount if you specify --version as part of the command.
             - name: usr-bin
-              mountPath: /usr/bin
+              mountPath: /usr/local/mount-from-host/bin
               readOnly: true
       restartPolicy: Never
       volumes: