Kube-Bench: Kubernetes CIS Benchmarking Tool

Required knowledge for the CKS certification.

Kube-Bench is an open-source tool developed by Aqua Security to assess Kubernetes clusters against the CIS (Center for Internet Security) Kubernetes Benchmark. This tool helps identify security gaps and provides remediation advice to improve your cluster's security posture.

What Are CIS Benchmarks?

CIS Benchmarks are security best practices developed by cybersecurity experts to secure IT systems. The Kubernetes CIS Benchmark provides guidelines and checks to ensure Kubernetes components are configured securely.

Installing Kube-Bench

1. Install Kube-Bench on a Kubernetes Node

curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.12/kube-bench_0.6.12_linux_amd64.tar.gz -o kube-bench.tar.gz
tar -xvf kube-bench.tar.gz
chmod +x kube-bench
sudo mv kube-bench /usr/local/bin/

2. Run Kube-Bench Against the Cluster

sudo kube-bench

Example Output

[INFO] 1.1 - Master Node Configuration
[PASS] 1.1.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive
[FAIL] 1.1.2 - Ensure that the API server pod specification file ownership is set to root:root

Analyzing Kube-Bench Results

1. View Detailed Results in JSON Format

sudo kube-bench -o json > kube-bench-results.json

2. Filter Failed Checks

cat kube-bench-results.json | jq '.[] | select(.status == "FAIL")'

Remediation Techniques Based on Kube-Bench Findings

1. Correct File Permissions

Issue: The API server pod specification file permissions are too permissive.
Fix: Set the correct permissions:

sudo chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml

2. Enforce File Ownership

Issue: The API server pod specification file ownership is incorrect.
Fix: Ensure root ownership:

sudo chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml

3. Configure Secure API Server Flags

Issue: The API server is not securely configured.
Fix: Set secure flags in kube-apiserver.yaml:

spec:
  containers:
    - name: kube-apiserver
      command:
        - kube-apiserver
        - --anonymous-auth=false
        - --kubelet-https=true
        - --kubelet-certificate-authority=/var/lib/kubelet/pki/ca.crt

Key Takeaway

Using Kube-Bench to regularly assess your Kubernetes cluster against the CIS Benchmarks can identify vulnerabilities and guide remediation efforts. Integrate Kube-Bench into your CI/CD pipelines and monitoring workflows to maintain a strong security posture.

What Are CIS Benchmarks?​

Installing Kube-Bench​

1. Install Kube-Bench on a Kubernetes Node​

2. Run Kube-Bench Against the Cluster​

Example Output​

Analyzing Kube-Bench Results​

1. View Detailed Results in JSON Format​

2. Filter Failed Checks​

Remediation Techniques Based on Kube-Bench Findings​

1. Correct File Permissions​

2. Enforce File Ownership​

3. Configure Secure API Server Flags​

Key Takeaway​