Day 4 — Kube-bench — Open Source tool for running Kubernetes CIS benchmark

Reference: https://github.com/aquasecurity/kube-bench

Before I talk about Kube-bench, let first understand the CIS benchmark?

Center for Internet Security(CIS) provides a number of guidelines to make sure your system is following the security best practices.

You can register on their website and download these benchmarks for free https://downloads.cisecurity.org/. Within these pages, there are various security recommendations. Each recommendation defines why it’s a threat, how to check if the threat exists in your system with the command to run it, and how to remediate it. For example, 1.1.2 “Ensure /tmp is configured.” If you click on the link(once you download the report)

  • CIS provides a command to check it
  • How to remediate it

CIS benchmarks are not restricted to specific vendors, and they provide benchmarks for various software, including Kubernetes.

kube-bench is an open-source tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Installing kubebench in ubuntu

https://github.com/aquasecurity/kube-bench/releases/tag/v0.6.5

wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.5/kube-bench_0.6.5_linux_amd64.tar.gztar -xvf kube-bench_0.6.5_linux_amd64.tar.gz
  • Run the kube-bench by passing the following options. It gives you a nice overview of all the benchmarks and the ones which is failed in red.
./kube-bench --config-dir cfg --config cfg/config.yaml
  • The end of the report also summarizes how many checks passed, failed, warnings, etc.
  • Kube-bench also gave you remediation steps on how to fix the particular error. For example, let’s take 1.1.12. It gave you the command to verify it and how to remediate it.
  • You can verify it on the server itself
# ls -l /var/lib/etcd/
total 4
drwx------ 4 root root 4096 Oct 30 14:43 member
  • Let’s fix it
chown etcd:etcd /var/lib/etcd/
  • Rerun the kube-bench and verify if it’s passed this time
./kube-bench --config-dir cfg --config cfg/config.yaml
  • kube-bench can be run as a docker container or as a job running in your kubernetes cluster

Conclusion

Kube-bench is an opensource and easy to use tool to verify if your Kubernetes cluster is deployed securely by running the checks documented in the CIS Kubernetes benchmarks.

--

--

--

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP

Recommended from Medium

Making a Homing Missile in Unity2D

The 4 Best Online Learning Platforms in 2020

Why our team doesn’t have standups anymore

Strengths and Weaknesses of Low-Code/No-Code Tools

Best of the Week — March 22/April 11

ADMX Backed Policies — Quick(ish) Reference Guide

Laravel + Xdebug+ Vscode = Awesome local PHP development.

Package Manager | Quick Start Guide

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prashant Lakhera

Prashant Lakhera

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP

More from Medium

Taints And Toleration Basics In Kubernetes

Automating installation of HA RKE2 Kubernetes cluster with Ansible

Kubernetes 1.22 and The Direction of Future Releases

ELK Stack in Kubernetes Using Helm