arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity
The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
981 Commits
13 Branches
62 Tags
155 MiB
 
 
 
 
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dependabot/go_modules/gorm.io/gorm-1.24.6'
${ noResults }
Go to file
dependabot[bot] 09ab7ef49c
build(deps): bump gorm.io/gorm from 1.24.2 to 1.24.6 		2 days ago
.github build(deps): bump goreleaser/goreleaser-action from 3 to 4 (#1347) 3 months ago
cfg Fix to empty grep and other cis-1.6-k3s checks (#1352) 3 months ago
check bugfix: false negative when audit_config file not found (#1376) 1 month ago
cmd support customize datadir locations of etcd (#1330) 4 months ago
docs docs: Clarify how to run Job on OpenShift (#1401) 2 weeks ago
hack Adding eks-stig-kubernetes-v1r6 (#1266) 7 months ago
hooks adds kube-bench version to docker build hook (#524) 3 years ago
integration/testdata Adding eks-stig-kubernetes-v1r6 (#1266) 7 months ago
internal/findings Migrate to aws-sdk-go-v2 (#1268) 6 months ago
.gitignore release: prepare v0.6.7-rc1 (#1136) 1 year ago
.golangci.yaml chore(lint): setup golangci-lint (#1144) 12 months ago
.goreleaser.yml chore: add s390x arch (#1097) 1 year ago
.yamllint.yaml Support Linting YAML as part of Travis CI build (#554) 3 years ago
CONTRIBUTING.md Adding eks-stig-kubernetes-v1r6 (#1266) 7 months ago
Dockerfile build(deps): bump golang from 1.19.3 to 1.19.4 (#1345) 3 months ago
Dockerfile.ubi8 build(deps): bump golang from 1.19.3 to 1.19.4 (#1345) 3 months ago
LICENSE Initial commit 6 years ago
NOTICE Create NOTICE (#199) 4 years ago
OWNERS Create OWNERS 6 years ago
README.md Remove broken badges and add link for some badges (#1083) 1 year ago
codecov.yml Improve Proxykubeconfig tests (#708) 3 years ago
entrypoint.sh Set -e to fail fast 5 years ago
go.mod build(deps): bump gorm.io/gorm from 1.24.2 to 1.24.6 2 days ago
go.sum build(deps): bump gorm.io/gorm from 1.24.2 to 1.24.6 2 days ago
job-ack.yaml fix: fully qualified image names (#1206) 10 months ago
job-aks.yaml fix: fully qualified image names (#1206) 10 months ago
job-eks-asff.yaml Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 (#1222) 7 months ago
job-eks-stig.yaml Adding eks-stig-kubernetes-v1r6 (#1266) 7 months ago
job-eks.yaml Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0 (#1222) 7 months ago
job-gke.yaml fix: fully qualified image names (#1206) 10 months ago
job-iks.yaml fix: fully qualified image names (#1206) 10 months ago
job-master.yaml Update job-master.yaml for K8s 1.24.x labels/tolerations (#1250) (#1251) 7 months ago
job-node.yaml fix: fully qualified image names (#1206) 10 months ago
job.yaml release: prepare v0.6.12 (#1387) 1 month ago
main.go Fix issue #16 about supporting verbosity. 6 years ago
makefile Adding eks-stig-kubernetes-v1r6 (#1266) 7 months ago
mkdocs.yml Fixing typos (#899) 2 years ago

README.md

GitHub Release Downloads Docker Pulls Go Report Card Build Status License Coverage Status

kube-bench logo

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Kubernetes Bench for Security

Quick start

There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...

For more information and different ways to run kube-bench see documentation

Please Note

  1. kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.

  2. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.

By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

Contributing

Kindly read Contributing before contributing. We welcome PRs and issue reports.

Roadmap

Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.