Day 4 — Kube-bench — Open Source tool for running Kubernetes CIS benchmark

Reference: https://github.com/aquasecurity/kube-bench

Before I talk about Kube-bench, let first understand the CIS benchmark?

Center for Internet Security(CIS) provides a number of guidelines to make sure your system is following the security best practices.

You can register on their website and download these benchmarks for free https://downloads.cisecurity.org/. Within these pages, there are various security recommendations. Each recommendation defines why it’s a threat, how to check if the threat exists in your system with the command to run it, and how to remediate it. For example, 1.1.2 “Ensure /tmp is configured.” If you click on the link(once you download the report)

  • CIS provides a command to check it
  • How to remediate it

CIS benchmarks are not restricted to specific vendors, and they provide benchmarks for various software, including Kubernetes.

kube-bench is an open-source tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Installing kubebench in ubuntu

https://github.com/aquasecurity/kube-bench/releases/tag/v0.6.5

wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.5/kube-bench_0.6.5_linux_amd64.tar.gztar -xvf kube-bench_0.6.5_linux_amd64.tar.gz
  • Run the kube-bench by passing the following options. It gives you a nice overview of all the benchmarks and the ones which is failed in red.
./kube-bench --config-dir cfg --config cfg/config.yaml
  • The end of the report also summarizes how many checks passed, failed, warnings, etc.
  • Kube-bench also gave you remediation steps on how to fix the particular error. For example, let’s take 1.1.12. It gave you the command to verify it and how to remediate it.
  • You can verify it on the server itself
# ls -l /var/lib/etcd/
total 4
drwx------ 4 root root 4096 Oct 30 14:43 member
  • Let’s fix it
chown etcd:etcd /var/lib/etcd/
  • Rerun the kube-bench and verify if it’s passed this time
./kube-bench --config-dir cfg --config cfg/config.yaml
  • kube-bench can be run as a docker container or as a job running in your kubernetes cluster

Conclusion

Kube-bench is an opensource and easy to use tool to verify if your Kubernetes cluster is deployed securely by running the checks documented in the CIS Kubernetes benchmarks.