For https://github.com/mitre/eks-cis-cluster-baseline/blob/0f075949a612f3a3b9d525c7fa737039969de8a0/controls/eks-cis-5.4.2.rb ,
the CIS benchmark title says "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled", but the Description says "Disable access to the Kubernetes API from outside the node network if it is not required." outside, as in from the Public side. The author isn't forcing folks to enable private access. They hadn't anticipated that a team might not want to enable private access at all, and just use public access. In fact, enabling private access is less secure. CIS benchmarks tend to drift out of strict security lock-down requirements and (sometimes confusingly) mix in guidance to ensure you can still get things done. So, it isn't a security finding for not enabling private access. The InSpec code should only focus on the Description statement: "Disable access to the Kubernetes API from outside the node network if it is not required.". The first describe block at

is simply not necessary, so I propose it be removed. The other describe blocks focus on either not enabling public access or enabling with restricted access in alignment with the security hardening recommended by the author.