CIS Benchmarking

CIS Benchmark for Kubernetes is a guide that consists of secure configuration guidelines and best practices developed for Kubernetes.

In this document, information how it can be run on a Kubernetes cluster created using KubeOne and what to expect as the result is described.

Tooling

kube-bench is used to create the assessment.

Installation

There are multiple ways to run kube-bench. Below method describes how it’s running via logging to a master and worker node to run it.

# make sure you run those commands as root user:
KUBE_BENCH_VERSION="0.7.3"
KUBE_BENCH_URL="https://github.com/aquasecurity/kube-bench/releases/download/v${KUBE_BENCH_VERSION}/kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz"

mkdir /root/kube-bench
cd /root/kube-bench
curl -L ${KUBE_BENCH_URL} -o kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz
tar xvf kube-bench_${KUBE_BENCH_VERSION}_linux_amd64.tar.gz

Run on controlplane node

cd /root/kube-bench
./kube-bench -D ./cfg/ run --targets=controlplane,master,etcd,node --benchmark=cis-1.8

Run on a worker node

cd /root/kube-bench
./kube-bench -D ./cfg/ run --targets=node --benchmark=cis-1.8