CIS Benchmark for Kubernetes is a guide that consists of secure configuration guidelines and best practices developed for Kubernetes.
In this document, information how it can be run on a Kubernetes cluster created using KubeOne and what to expect as the result is described.
kube-bench is used to create the assessment.
Installation
There are multiple ways to run kube-bench
. Below method describes how it’s running via logging to a master and worker node to run it.
# make sure you run those commands as root user:
KUBE_BENCH_VERSION="0.7.2"
KUBE_BENCH_URL="https://github.com/aquasecurity/kube-bench/releases/download/v${KUBE_BENCH_VERSION}/kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz"
mkdir /root/kube-bench
cd /root/kube-bench
curl -L ${KUBE_BENCH_URL} -o kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz
tar xvf kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz
Run on controlplane node
cd /root/kube-bench
./kube-bench -D ./cfg/ run --targets=controlplane,master,etcd,node --benchmark=cis-1.8
Run on a worker node
cd /root/kube-bench
./kube-bench -D ./cfg/ run --targets=node --benchmark=cis-1.8