kube-bench: Checks Kubernetes security best practices as defined in the CIS Kubernetes Benchmark
kube-bench
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Please Note
- kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if it is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.
- There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.
- It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use it to check worker node configuration in these environments.
kube-bench supports the tests for Kubernetes as defined in the CIS Kubernetes Benchmarks.
| CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|---|---|---|
| 1.3.0 | cis-1.3 | 1.11-1.12 |
| 1.4.1 | cis-1.4 | 1.13-1.14 |
| 1.5.1 | cis-1.5 | 1.15 |
| 1.6.0 | cis-1.6 | 1.16- |
| GKE 1.0.0 | gke-1.0 | GKE |
| EKS 1.0.0 | eks-1.0 | EKS |
| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine, but please note that it does not automatically detect OpenShift and GKE – see the section below on Running kube-bench.
Install & Use
Copyright (C) 2017 aquasecurity
