Kube-BenchBLOG650_315.png

Kube-Bench: An Open Source Tool for Running Kubernetes CIS Benchmark Tests

The Center for Internet Security provides a number of guidelines and benchmark tests for best practices in securing your code. As Michael Cherny recently described, the CIS has recently published a benchmark for Kubernetes, and now we’re pleased to tell you about our new open source implementation of these tests: kube-bench.

It’s written as a Go application (and distributed as a container, of course), but each individual test is defined in a YAML file, which will make it easier to extend and update the test suite as the benchmark evolves along with Kubernetes itself. It also supports JSON-format output, to make it easier to integrate with automated tools.

Like other CIS Benchmark tests you run it on each of your nodes to establish how well your deployment meets the best practice recommendations from the CIS community. Not only do you get information about whether each test passes or fails, but you also get advice on how to remediate any issues that have been detected. This might, for example, include recommendations to change or remove an insecure configuration setting on one of the Kubernetes executables, or to make the permissions on a config file more restrictive.

View Aqua's On-Demand Webinars

Kubeernetes CIS Benchmarks

Example test output from kube-bench

Following the tests defined in the benchmark document, there are different test suites for master and worker nodes, and for nodes in federated deployments.

The kube-bench tool allows you to immediately see if your setup conforms to best practices in key areas, as per the benchmark document, including:

  • Proper user authentication and authorization
  • Securing data in transit
  • Securing data at rest
  • Using least privileges

As it’s an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the CIS community to help make the tests themselves more robust and complete as Kubernetes develops.

View Aqua's On-Demand Webinars

Picture of Liz Rice

Liz Rice

Liz Rice is the VP of Open Source Engineering at cloud native security specialists Aqua Security, where she works on container-related open source projects including kube-bench and kube-hunter. She chairs the CNCF’s Technical Oversight Committee, and in 2018 was Co-Chair of the CNCF’s KubeCon + CloudNativeCon events in Copenhagen, Shanghai and Seattle. She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, and competing in virtual races on Zwift.

Kubernetes Security, Compliance