The Center for Internet Security provides a number of guidelines and benchmark tests for best practices in securing your code. As Michael Cherny recently described, the CIS has recently published a benchmark for Kubernetes, and now we’re pleased to tell you about our new open source implementation of these tests: kube-bench.
It’s written as a Go application (and distributed as a container, of course), but each individual test is defined in a YAML file, which will make it easier to extend and update the test suite as the benchmark evolves along with Kubernetes itself. It also supports JSON-format output, to make it easier to integrate with automated tools.
Like other CIS Benchmark tests you run it on each of your nodes to establish how well your deployment meets the best practice recommendations from the CIS community. Not only do you get information about whether each test passes or fails, but you also get advice on how to remediate any issues that have been detected. This might, for example, include recommendations to change or remove an insecure configuration setting on one of the Kubernetes executables, or to make the permissions on a config file more restrictive.
Example test output from kube-bench
Following the tests defined in the benchmark document, there are different test suites for master and worker nodes, and for nodes in federated deployments.
The kube-bench tool allows you to immediately see if your setup conforms to best practices in key areas, as per the benchmark document, including:
As it’s an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the CIS community to help make the tests themselves more robust and complete as Kubernetes develops.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.