CIS Benchmarking

CIS Benchmark for Kubernetes is a guide that consists of secure configuration guidelines and best practices developed for Kubernetes.

In this document, information how it can be run on a Kubernetes cluster created using KubeOne and what to expect as the result is described.


kube-bench is used to create the assessment.


There are multiple ways to run kube-bench. Below method describes how it’s running via logging to a master and worker node to run it.

# make sure you run those commands as root user:

mkdir /root/kube-bench
cd /root/kube-bench
curl -L ${KUBE_BENCH_URL} -o kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz
tar xvf kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz

Run on controlplane node

cd /root/kube-bench
./kube-bench -D ./cfg/ run --targets=controlplane,master,etcd,node --benchmark=cis-1.8

Run on a worker node

cd /root/kube-bench
./kube-bench -D ./cfg/ run --targets=node --benchmark=cis-1.8