Skip to content

Kube Bench

kube-bench logo

kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

https://github.com/aquasecurity/kube-bench

Installation

You can choose to

  • Run kube-bench from inside a container (sharing PID namespace with the host).
  • Run a container that installs kube-bench on the host, and then run kube-bench directly on the host.
  • install the latest binaries from the Releases page, though please note that you also need to download the config and test files from the cfg directory. See Download and Install binaries for details.
  • Compile it from source. See Installing from sources for details.

Running inside a container

docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.13

Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl to resolve this. You will also need to pass in kubeconfig credentials. For example:

docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest 

Running in a Kubernetes cluster

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml

$ kubectl get pods

# The results are held in the pod's logs
$ kubectl logs kube-bench-j76s9

Running in an AKS cluster

  1. Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures
  2. Use the kubectl-enter plugin to shell into a node kubectl-enter {node-name} or ssh to one agent node could open nsg 22 port and assign a public ip for one agent node (only for testing purpose)
  3. Run CIS benchmark to view results:
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
./kube-bench 

kube-bench cannot be run on AKS master nodes

Running in an EKS cluster

There is a job-eks.yaml file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it’s not possible to schedule jobs onto the master node, so master checks can’t be performed

  1. To create an EKS Cluster refer to Getting Started with Amazon EKS in the Amazon EKS User Guide
  • Information on configuring eksctlkubectl and the AWS CLI is within
  1. Create an Amazon Elastic Container Registry (ECR) repository to host the kube-bench container image
aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
  1. Download, build and push the kube-bench container image to your ECR repo
git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
docker build -t k8s/kube-bench .
docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
  1. Copy the URI of your pushed image, the URI format is like this: <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
  2. Replace the image value in job-eks.yaml with the URI from Step 4
  3. Run the kube-bench job on a Pod in your Cluster: kubectl apply -f job-eks.yaml
  4. Find the Pod that was created, it should be in the default namespace: kubectl get pods --all-namespaces
  5. Retrieve the value of this Pod and output the report, note the Pod name will vary: kubectl logs kube-bench-<value>
  • You can save the report for later reference: kubectl logs kube-bench-<value> > kube-bench-report.txt

Running on OpenShift

OpenShift Hardening Guidekube-bench config
ocp-3.10rh-0.7
ocp-3.11rh-0.7
ocp-4.*Not supported

kube-bench includes a set of test files for Red Hat’s OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify --benchmark rh-07, or --version ocp-3.10 or --version ocp-3.11

when you run the kube-bench command (either directly or through YAML).

There is work in progress on a CIS Red Hat OpenShift Container Platform Benchmark which we believe should cover OCP 4.* and we intend to add support in kube-bench when it’s published.

Running in a GKE cluster

CIS BenchmarkTargets
gke-1.0master, controlplane, node, etcd, policies, managedservices

kube-bench includes benchmarks for GKE. To run this you will need to specify --benchmark gke-1.0 when you run the kube-bench command.

To run the benchmark as a job in your GKE cluster apply the included job-gke.yaml.

kubectl apply -f job-gke.yaml