Running kube-bench
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
- Master Node Security Configuration
- API Server
- Scheduler
- Controller Manager
- Configuration Files
- etcd
- General Security Primitives
- PodSecurityPolicices
- Workere Node Security Configuration
- Kubelet
- Configuration Files
How to run kube-bench
- We can run kube-bench by navigating to the
cd /data/kube-bench
kubectl apply -f kube-bench-node.yaml
- Check the job status and get the pod name
kubectl get pods --selector job-name=kube-bench-node
- See the kube-bench node scan results by checking the stdout logs
kubectl logs <PODNAME>
Note: Here we are running only for the Kubernetes nodes as this cluster is managed by GCP. We can also run master checks by referring to https://github.com/aquasecurity/kube-bench