CKS Benchmarking
How to use CIS Kubernetes Benchmark and Aqua Security kube-bench to audit and improve cluster security.
CKS Benchmarking
CIS Kubernetes Benchmark 1.6.0 (at the time)
Make sure to check the CIS benchmark version against your current Kubernetes version. You will get recommendations to improve Kubernetes cluster security.
Aquasecurity Kubebench
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# When using lima and nerdctl
limactl shell k8s \
sudo nerdctl -n k8s.io --address /run/containerd/containerd.sock \
run --pid=host \
-v /etc:/etc:ro \
-v /var:/var:ro \
-it aquasec/kube-bench:latest \
run --targets=master --version 1.23
# how to run
https://github.com/aquasecurity/kube-bench/blob/main/docs/running.md
# run on master
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest run --targets=master --version 1.22
# run on worker
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest run --targets=node --version 1.22
Kube-bench in action (fix FAILED checks)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
controlplane $ kube-bench run --targets master --check 1.3.2
[INFO] 1 Master Node Security Configuration
[INFO] 1.3 Controller Manager
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
== Remediations master ==
1.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the below parameter.
--profiling=false
== Summary master ==
0 checks PASS
1 checks FAIL
0 checks WARN
0 checks INFO
== Summary total ==
0 checks PASS
1 checks FAIL
0 checks WARN
0 checks INFO
# Now check
Fix the /etc/kubernetes/manifests/kube-controller-manager.yaml
...
containers:
- command:
- kube-controller-manager
- --profiling=false
...
image: k8s.gcr.io/kube-controller-manager:v1.22.2
...
This post is licensed under CC BY 4.0 by the author.