For this post, we are going to learn about a compliance tool Kube-Bench and how to run Kubernetes CIS benchmarks against a cluster using Kube-Bench.
So I recently finished my CKS and learned a hell of a lot about securing a Kubernetes cluster. While there are plenty of great tools, why not compliance framework as a starting step? Best way to reduce the attack surface of your cluster?
CIS Kubernetes Benchmark!
Linked here is some information directly from the Center for Internet Security.
CIS benchmarks covers security guidelines and recommendations for:
* Control Plane Components
* Worker Nodes
* Policies: RBAC services, service accounts, etc.
Now, What IS Kube Bench?
Kube-Bench is a security tool that runs under an Apache 2.0 license, used to verify whether a Kubernetes deployment is secure by running CIS Kubernetes Benchmark checks based on the Center for Internet Security documentation. CIS provides more than one hundred benchmarks across multiple vendor product families. This benchmark tool was originally designed by Aqua Security company as a free tool for Kubernetes users.
I personally like this because the finished report will show me not just what I’m passing for compliance, but what I am failing at AND how to fix them. As an example, see below.
After you run Kube-Bench, you’ll be presented with a report broken down into four sections: Master Node, ETCD Node, Worker Node, and Policies.
There are multiple ways for you to run the benchmark against your environments, but it’ll come down to what makes more sense. If you’re running on a self hosted cluster, then binary it is! However, the more simple method for managed services, AKA EKS, GKE, AKS, etc., would be as a Kubernetes Job. Keep in mind that this is the simplest method as you don’t have access to the controlplane or root access to the worker nodes.
To modify the file before applying run the following command in your terminal window:
curl https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml > job.yaml
Or if you prefer to just apply the file in a “JESUS TAKE THE WHEEL” method:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yamlAfter you have applied the job, you will need to read the pod specific logs to get the output like what we have seen above.
So as you can see, there are multiple ways to run the Kube-Bench tool against your Kubernetes environments. Each way has it’s own pros and cons, so it’ll be up to you to decide on what works best for your workloads.
But in the article, we went over Kube-Bench, CIS Kubernetes, why you want to run this against your Kubernetes clusters, and the different methods of deployment.