
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
https://github.com/aquasecurity/kube-bench
Installation
You can choose to
- Run kube-bench from inside a container (sharing PID namespace with the host).
- Run a container that installs kube-bench on the host, and then run kube-bench directly on the host.
- install the latest binaries from the Releases page, though please note that you also need to download the config and test files from the
cfg
directory. See Download and Install binaries for details. - Compile it from source. See Installing from sources for details.
Running inside a container
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.13
Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl
to resolve this. You will also need to pass in kubeconfig credentials. For example:
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest
Running in a Kubernetes cluster
The supplied job.yaml
file can be applied to run the tests as a job. For example:
$ kubectl apply -f job.yaml $ kubectl get pods # The results are held in the pod's logs $ kubectl logs kube-bench-j76s9
Running in an AKS cluster
- Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures
- Use the kubectl-enter plugin to shell into a node
kubectl-enter {node-name}
or ssh to one agent node could open nsg 22 port and assign a public ip for one agent node (only for testing purpose) - Run CIS benchmark to view results:
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
./kube-bench
kube-bench cannot be run on AKS master nodes
Running in an EKS cluster
There is a job-eks.yaml
file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it’s not possible to schedule jobs onto the master node, so master checks can’t be performed
- To create an EKS Cluster refer to Getting Started with Amazon EKS in the Amazon EKS User Guide
- Information on configuring
eksctl
,kubectl
and the AWS CLI is within
- Create an Amazon Elastic Container Registry (ECR) repository to host the kube-bench container image
aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
- Download, build and push the kube-bench container image to your ECR repo
git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
docker build -t k8s/kube-bench .
docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
- Copy the URI of your pushed image, the URI format is like this:
<AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
- Replace the
image
value injob-eks.yaml
with the URI from Step 4 - Run the kube-bench job on a Pod in your Cluster:
kubectl apply -f job-eks.yaml
- Find the Pod that was created, it should be in the
default
namespace:kubectl get pods --all-namespaces
- Retrieve the value of this Pod and output the report, note the Pod name will vary:
kubectl logs kube-bench-<value>
- You can save the report for later reference:
kubectl logs kube-bench-<value> > kube-bench-report.txt
Running on OpenShift
OpenShift Hardening Guide | kube-bench config |
---|---|
ocp-3.10 | rh-0.7 |
ocp-3.11 | rh-0.7 |
ocp-4.* | Not supported |
kube-bench includes a set of test files for Red Hat’s OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify --benchmark rh-07
, or --version ocp-3.10
or --version ocp-3.11
when you run the kube-bench
command (either directly or through YAML).
There is work in progress on a CIS Red Hat OpenShift Container Platform Benchmark which we believe should cover OCP 4.* and we intend to add support in kube-bench when it’s published.
Running in a GKE cluster
CIS Benchmark | Targets |
---|---|
gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
kube-bench includes benchmarks for GKE. To run this you will need to specify --benchmark gke-1.0
when you run the kube-bench
command.
To run the benchmark as a job in your GKE cluster apply the included job-gke.yaml
.
kubectl apply -f job-gke.yaml