Kube-bench Security Tool
What is Kube-bench?
Kube-bench is a security tool that runs under an Apache 2.0 license, used to verify whether a Kubernetes deployment is secure by running CIS Kubernetes Benchmark checks based on the Center for Internet Security documentation.
CIS provides more than one hundred benchmarks across multiple vendor product families. The CIS benchmarks have evolved through a distinctive consensus-based process including cybersecurity professionals and subject-matter experts from around the world. CIS benchmarks are unique in that they are consensus-based, best-practice security planning guides developed and accepted by governments, businesses, industries, and academia.
Using easy to update YAML files, it tests multiple component areas of the cluster, advising users of best practice security configurations.
Installing Kube-bench
Users have four methods to install kube-bench.
- Users can run kube-bench from within a container as long as it shares a PID namespace with the host.
- Kube-bench can also be run using a container to install and run it on the host.
- Additionally, it can be installed using the latest binaries from the releases page. However, users will need to download the config and test files from the cfg directory.
- Compile it from the source code
Download and Install Binaries
Users can manually install and run kube-bench using release binaries. To accomplish this, you must have full access to your Kubernetes cluster nodes. To, note your platform release, then SSH into one of the nodes and run the command related to your specific release. This will install the kube-bench binary for your platform.
Ubuntu/Debian
x
curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb -o kube-bench_0.6.2_linux_amd64.debsudo apt install ./kube-bench_0.6.2_linux_amd64.deb -fRHEL
curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.rpm -o kube-bench_0.6.2_linux_amd64.rpmsudo yum install kube-bench_0.6.2_linux_amd64.rpm -ySource
Alternatively, users can download and extract the kube-bench binary.
curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.tar.gz -o kube-bench_0.6.2_linux_amd64.tar.gztar -xvf kube-bench_0.6.2_linux_amd64.tar.gzThen, run the kube-bench command.
kube-benchIf the kube-bench binary is manually downloaded, users must specify the location of the configuration file and directory and file.
./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yamlClone Repository
Users that have Go installed can clone the repo and use the following installation commands. (again, this is assuming your GOPATH is set).
# Create a target directory for the clone, inside the $GOPATHmkdir -p $GOPATH/src/github.com/aquasecurity/kube-bench# Clone this repository, using SSHgit clone git@github.com:aquasecurity/kube-bench.git $GOPATH/src/github.com/aquasecurity/kube-bench# Install the pre-requisitesgo get github.com/aquasecurity/kube-bench# Change to the kube-bench directorycd $GOPATH/src/github.com/aquasecurity/kube-bench# Build the kube-bench binarygo build -o kube-bench .# See all supported options./kube-bench --help# Run all checks./kube-benchContainer Installation
The following command reproduces the kube-bench binary along with the configuration files within the host from a Docker container.
These binaries are compiled specifically for linux-x86-64 systems only. They will not run on a Windows or macOS systems.
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest installFinally, run ./kube-bench to begin testing.
Example Kube-bench Test on a Sample PES/PMK Cluster
To run the tests, users can create a one-node PMK cluster with master and worker enabled on the same node. SSH onto the node and execute the following commands.
git clone https://github.com/platform9/kube-bench.gitcd kube-benchgit checkout private/platform9-1.20.5docker run -t --rm --network=host --pid=host \ -v /etc:/etc:ro \ -v /var:/var:ro \ -v /run:/run:ro \ -v /bin/kubectl:/usr/local/mount-from-host/bin/kubectl \ -v /etc/pf9/kube.d/kubeconfigs/admin.yaml:/.kube/admin.yaml \ -e KUBECONFIG=/.kube/admin.yaml \ kube-bench:latest run --version=pmk-1.0 --nosummary --noremediationsOutput of Test Kube-bench Report
This test ran against Kubernetes version 1.20.5. The PMK custom configuration is based on cis-1.20 benchmark.
[INFO] 1 Master Node Security Configuration[INFO] 1.1 Master Node Configuration Files[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)[FAIL] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)[FAIL] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)[PASS] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)[PASS] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)[FAIL] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)[PASS] 1.1.12 Ensure that the etcd data directory ownership is set to root:root (Automated)[PASS] 1.1.13 Ensure that the admin.yaml file permissions are set to 644 or more restrictive (Automated)[PASS] 1.1.14 Ensure that the admin.yaml file ownership is set to root:root (Automated)[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to pf9:pf9group (Automated)[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)[INFO] 1.2 API Server[PASS] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)[PASS] 1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)[PASS] 1.2.3 Ensure that the --kubelet-https argument is set to true (Automated)[PASS] 1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)[PASS] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)[PASS] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)[PASS] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)[WARN] 1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)[PASS] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)[WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)[WARN] 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)[PASS] 1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)[PASS] 1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)[PASS] 1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)[PASS] 1.2.17 Ensure that the --insecure-bind-address argument is not set (Automated)[PASS] 1.2.18 Ensure that the --insecure-port argument is set to 0 (Automated)[PASS] 1.2.19 Ensure that the --secure-port argument is not set to 0 (Automated)[PASS] 1.2.20 Ensure that the --profiling argument is set to false (Automated)[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)[WARN] 1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)[PASS] 1.2.26 Ensure that the --service-account-lookup argument is set to true (Automated)[PASS] 1.2.27 Ensure that the --service-account-key-file argument is set as appropriate (Automated)[PASS] 1.2.28 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)[PASS] 1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)[PASS] 1.2.30 Ensure that the --client-ca-file argument is set as appropriate (Automated)[PASS] 1.2.31 Ensure that the --etcd-cafile argument is set as appropriate (Automated)[WARN] 1.2.32 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)[WARN] 1.2.33 Ensure that encryption providers are appropriately configured (Manual)[PASS] 1.2.34 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)[INFO] 1.3 Controller Manager[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)[PASS] 1.3.2 Ensure that the --profiling argument is set to false (Automated)[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)[INFO] 1.4 Scheduler[PASS] 1.4.1 Ensure that the --profiling argument is set to false (Automated)[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)[INFO] 2 Etcd Node Configuration[INFO] 2 Etcd Node Configuration Files[PASS] 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)[PASS] 2.2 Ensure that the --client-cert-auth argument is set to true (Automated)[PASS] 2.3 Ensure that the --auto-tls argument is not set to true (Automated)[PASS] 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)[PASS] 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)[PASS] 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)[PASS] 2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)[INFO] 3 Control Plane Configuration[INFO] 3.1 Authentication and Authorization[WARN] 3.1.1 Client certificate authentication should not be used for users (Manual)[INFO] 3.2 Logging[WARN] 3.2.1 Ensure that a minimal audit policy is created (Manual)[WARN] 3.2.2 Ensure that the audit policy covers key security concerns (Manual)[INFO] 4 Worker Node Security Configuration[INFO] 4.1 Worker Node Configuration Files[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)[WARN] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)[PASS] 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)[PASS] 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)[INFO] 4.2 Kubelet[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)[FAIL] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)[WARN] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)[PASS] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)[INFO] 5 Kubernetes Policies[INFO] 5.1 RBAC and Service Accounts[WARN] 5.1.1 Ensure that the cluster-admin role is only used where required (Manual)[WARN] 5.1.2 Minimize access to secrets (Manual)[WARN] 5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)[WARN] 5.1.4 Minimize access to create pods (Manual)[WARN] 5.1.5 Ensure that default service accounts are not actively used. (Manual)[WARN] 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)[WARN] 5.1.7 Avoid use of system:masters group (Manual)[WARN] 5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)[INFO] 5.2 Pod Security Policies[WARN] 5.2.1 Minimize the admission of privileged containers (Automated)[WARN] 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Automated)[WARN] 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Automated)[WARN] 5.2.4 Minimize the admission of containers wishing to share the host network namespace (Automated)[WARN] 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated)[WARN] 5.2.6 Minimize the admission of root containers (Automated)[WARN] 5.2.7 Minimize the admission of containers with the NET_RAW capability (Automated)[WARN] 5.2.8 Minimize the admission of containers with added capabilities (Automated)[WARN] 5.2.9 Minimize the admission of containers with capabilities assigned (Manual)[INFO] 5.3 Network Policies and CNI[WARN] 5.3.1 Ensure that the CNI in use supports Network Policies (Manual)[WARN] 5.3.2 Ensure that all Namespaces have Network Policies defined (Manual)[INFO] 5.4 Secrets Management[WARN] 5.4.1 Prefer using secrets as files over secrets as environment variables (Manual)[WARN] 5.4.2 Consider external secret storage (Manual)[INFO] 5.5 Extensible Admission Control[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)[INFO] 5.7 General Policies[WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Manual)[WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)[WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Manual)[WARN] 5.7.4 The default namespace should not be used (Manual)== Summary total ==72 checks PASS11 checks FAIL40 checks WARN0 checks INFOKube-bench attempts to auto-detect the Kubernetes version to match the corresponding CIS Benchmark version. Kube-bench also attempts to identify the node components and uses that info to determine which tests to use.
Kube-bench tries to follow the CIS Kubernetes Benchmarks tightly. However, the mapping between Kubernetes and CIS benchmark versions is approximate and not exact. By default, kube-bench will ascertain the set of tests to run based on the Kubernetes version running on the nodes. Users may need to have root or sudo rights to access all the config files when running kube-bench from the command line.
Running Kube-bench on a Container
Users do not have to install kube-bench. It can be employed on a host by running it inside a container using the host PID namespace. Using this method, users must mount the /etc and /var directories where the configuration and other files are located on the host. This allows kube-bench to check for their existence and permission levels.
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18Testing requires the use of kubelet or the kubectl binary must reside in your path. This allows it to auto-detect the Kubernetes version.
Users can pass the -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl flag to resolve this. It is also required to pass the kubeconfig credentials. For example:
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latestTo use your configurations, transpose them over the default configs located in the /opt/kube-bench/cfg/ folder.
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latestRunning Kube-bench on a Kubernetes Cluster
Kube-bench can be run in a pod, but it will need access to the host's PID namespace to check the running processes. It also requires access to several folders where the configuration and other files are located on the host. The job.yaml file noted below can be used to run the tests as a job. For example:
$ kubectl apply -f job.yamljob.batch/kube-bench created$ kubectl get podsNAME READY STATUS RESTARTS AGEkube-bench-j76s9 0/1 ContainerCreating 0 3s# Wait for a few seconds for the job to complete$ kubectl get podsNAME READY STATUS RESTARTS AGEkube-bench-j76s9 0/1 Completed 0 11s# The results are held in the pod's logskubectl logs kube-bench-j76s9[INFO] 1 Master Node Security Configuration[INFO] 1.1 API Server...To perform tests on a master node, the pod should be scheduled on that node. This entails setting a nodeSelector and tolerations in the PodSpec settings.
Was this page helpful?
On This Page
Kube-bench Security ToolWhat is Kube-bench?Installing Kube-benchDownload and Install BinariesUbuntu/DebianRHELSourceClone RepositoryContainer InstallationExample Kube-bench Test on a Sample PES/PMK ClusterOutput of Test Kube-bench ReportRunning Kube-bench on a ContainerRunning Kube-bench on a Kubernetes Cluster