Open in app

Sign in

Write

Sign in

Day 4 — Kube-bench — Open Source tool for running Kubernetes CIS benchmark

Prashant Lakhera
3 min readOct 30, 2021

Reference: https://github.com/aquasecurity/kube-bench

Before I talk about Kube-bench, let first understand the CIS benchmark?

Center for Internet Security(CIS) provides a number of guidelines to make sure your system is following the security best practices.

You can register on their website and download these benchmarks for free https://downloads.cisecurity.org/. Within these pages, there are various security recommendations. Each recommendation defines why it’s a threat, how to check if the threat exists in your system with the command to run it, and how to remediate it. For example, 1.1.2 “Ensure /tmp is configured.” If you click on the link(once you download the report)

  • CIS provides a command to check it
  • How to remediate it

CIS benchmarks are not restricted to specific vendors, and they provide benchmarks for various software, including Kubernetes.

kube-bench is an open-source tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

GitHub - aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best…

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS…

github.com

Installing kubebench in ubuntu

https://github.com/aquasecurity/kube-bench/releases/tag/v0.6.5

wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.5/kube-bench_0.6.5_linux_amd64.tar.gztar -xvf kube-bench_0.6.5_linux_amd64.tar.gz
  • Run the kube-bench by passing the following options. It gives you a nice overview of all the benchmarks and the ones which is failed in red.
./kube-bench --config-dir cfg --config cfg/config.yaml
  • The end of the report also summarizes how many checks passed, failed, warnings, etc.
  • Kube-bench also gave you remediation steps on how to fix the particular error. For example, let’s take 1.1.12. It gave you the command to verify it and how to remediate it.
  • You can verify it on the server itself
# ls -l /var/lib/etcd/
total 4
drwx------ 4 root root 4096 Oct 30 14:43 member
  • Let’s fix it
chown etcd:etcd /var/lib/etcd/
  • Rerun the kube-bench and verify if it’s passed this time
./kube-bench --config-dir cfg --config cfg/config.yaml
  • kube-bench can be run as a docker container or as a job running in your kubernetes cluster

kube-bench/running.md at main · aquasecurity/kube-bench

If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config…

github.com

Conclusion

Kube-bench is an opensource and easy to use tool to verify if your Kubernetes cluster is deployed securely by running the checks documented in the CIS Kubernetes benchmarks.

Kubernetes
Security
Devsecops
DevOps
Technology

--

--

Prashant Lakhera

Written by Prashant Lakhera

5.9K Followers

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams