kube-bench, similarly to docker-bench, is a Go detection tool, not an enforcement tool. It examines whether your Kubernetes cluster is deployed securely by running the checks provided by the Kubernetes CSI Benchmark.
The CIS Kubernetes Benchmark works the same way the CIS Docker Benchmark does. However, since there are many Kubernetes distributions, specific implementations of the CIS Kubernetes Benchmark are tailored to each distribution.
kube-bench does not take steps to harden your Kubernetes cluster; it identifies holes in the security of your deployment, but you must go the extra mile and plug them.
Tests are configured into different YAML files. There are tests files for both the permissive and hardened profiles.
Finally, kube-bench runs on Linux, so some audit checks won’t work unless you use a Linux distribution. However, there’s always the option to run kube-bench as a pod within your Kubernetes cluster. We’ll explore this option.
The RKE kube-bench Schema
There are different CIS Kubernetes Benchmark implementations tailored to specific Kubernetes implementations. We will examine here the RKE implementation.
The RKE kube-bench schema has the same structure as the docker-bench schema:
- id: < test id>text: < what to test>
audit: < command to test>
tests:
test_items:
— flag:
set:
remediation:
scored:
The main sections of the schema are:
- The test id
- A short description of the test
- An audit section with the command to run and its flags
- The remediation section, with instructions on fixing a failed test
Evaluate your Kubernetes Deployment
We’re going to run the kube-bench security tool as a container. More specifically, in this example, we will evaluate an RKE deployment. Different Kubernetes distributions require slightly different approaches. Follow the official documentation to set up an RKE cluster if you want to follow along.
Evaluating the control plane
First, you will evaluate the control plane of your cluster. To this end, you need to first ssh into your master node. How to do this is specific to your system. Usually, you should run a command similar to the one below:
ssh USER@HOSTOnce you’re in, you will run the rancher/security-scan container provided by Rancer and exec into it to get the results:
docker run --pid=host -v /etc:/node/etc:ro /var:/node/var:ro -it rancher/security-scan:v0.2.2 bashThis container is already configured to use kube-bench under the proper Kubernetes context. So, to check the security status of your control plane, all you need to do is run the command below:
kube-bench run --targets etcd,master,controlplane,policies --score --config-dir=/etc/kube-bench/cfg --benchmark rke-cis-1.6-hardenedNote that this command runs the checks for the hardened profile. You can always use the permissive profile, which is more forgiving. To do this, replace --benchmark rke-cis-1.6-hardened with --benchmark rke-cis-1.6-permissive.
The kube-bench will run several checks for different categories when executing the security scan command. To gather failures and investigate them closely, grep for FAIL:
kube-bench run --targets etcd,master,controlplane,policies --scored --config-dir=/etc/kube-bench/cfg --benchmark rke-cis-1.6-hardened | grep FAILEvaluating the worker node
Evaluating the worker node follows a similar process. Again, the first step is to ssh into the worker node, run the rancher/security-scan container and exec into it:
docker run --pid=host -v /etc:/node/etc:ro -v /var:/node/var:ro -ti rancher/security-scan:v0.2.2 bashOnce you’re within the container context, the command you need to run is the one below:
kube-bench run --targets node --scored --config-dir=/etc/kube-bench/cfg --benchmark rke-cis-1.6-hardened | GREP FAILNotice that the only difference is the --targets flag. You are now setting it to node.
That’s it! You have now checked both the master and worker nodes for security issues.
Kubernetes deployments are not safe by default and you should go the extra mile and secure the gates. Fortunately, tools like kube-bench let us focus our attention on specific areas of the cluster.
You’ve now seen how to secure your Docker set up using docker-bench and your Kubernetes deployment using kube-bench. However, what runs inside a container is equally important. Thus, in the next article, we’ll see you can tell that a container image is safe to use.
My name is Dimitris Poulopoulos, and I’m a machine learning engineer working for Arrikto. I have designed and implemented AI and software solutions for major clients such as the European Commission, Eurostat, IMF, the European Central Bank, OECD, and IKEA.
If you are interested in reading more posts about Machine Learning, Deep Learning, Data Science, and DataOps, follow me on Medium, LinkedIn, or @james2pl on Twitter.
Opinions expressed are solely my own and do not express the views or opinions of my employer.