Go modules / Alpine 3.10 update / Remove binary (#322)
* Remove binary that was accidentally added 911e9051dc * Dockerfile: Update to alpine 3.10 * Switch to go 1.12 and go modules
|21 hours ago|
|cfg||1 day ago|
|check||2 weeks ago|
|cmd||2 weeks ago|
|docs||3 weeks ago|
|hack||3 months ago|
|hooks||1 year ago|
|images||1 year ago|
|.DS_Store||1 week ago|
|.gitignore||1 month ago|
|.goreleaser.yml||1 year ago|
|.travis.yml||21 hours ago|
|Dockerfile||21 hours ago|
|LICENSE||2 years ago|
|NOTICE||5 months ago|
|OWNERS||1 year ago|
|README.md||1 day ago|
|entrypoint.sh||1 year ago|
|go.mod||21 hours ago|
|go.sum||21 hours ago|
|job-eks.yaml||2 months ago|
|job-master.yaml||5 months ago|
|job-node.yaml||5 months ago|
|job.yaml||3 months ago|
|main.go||1 year ago|
|makefile||2 weeks ago|
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Note that it is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.
|CIS Kubernetes Benchmark||kube-bench config||Kubernetes versions|
By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
There is also preliminary support for Red Hat’s Openshift Hardening Guide for 3.10 and 3.11. Please note that kube-bench does not automatically detect Openshift - see below.
You can choose to
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the
/var directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions.
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest [master|node]
You can even use your own configs by mounting them over the default ones in
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node]
Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass
-v $(which kubectl):/usr/bin/kubectlto the above invocations to resolve this.
You can run kube-bench inside a pod, but it will need access to the host’s PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
Master nodes are automatically detected by kube-bench and will run master checks when possible. The detection is done by verifying that mandatory components for master, as defined in the config files, are running (see Configuration).
job.yaml file can be applied to run the tests as a job. For example:
$ kubectl apply -f job.yaml job.batch/kube-bench created $ kubectl get pods NAME READY STATUS RESTARTS AGE kube-bench-j76s9 0/1 ContainerCreating 0 3s # Wait for a few seconds for the job to complete $ kubectl get pods NAME READY STATUS RESTARTS AGE kube-bench-j76s9 0/1 Completed 0 11s # The results are held in the pod's logs kubectl logs kube-bench-j76s9 [INFO] 1 Master Node Security Configuration [INFO] 1.1 API Server ...
You can still force to run specific master or node checks using respectively
To run the tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec.
The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.
There is a
job-eks.yaml file for running the kube-bench node checks on an EKS cluster. Note that you must update the image reference in
job-eks.yaml. Typically you will push the container image for kube-bench to ECR and refer to it there in the YAML file.
There are two significant differences on EKS:
This command copies the kube-bench binary and configuration files to your host from the Docker container: ** binaries compiled for linux-x86-64 only (so they won’t run on OSX or Windows) **
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
You can then run
If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your $GOPATH is set):
go get github.com/aquasecurity/kube-bench go get github.com/golang/dep/cmd/dep cd $GOPATH/src/github.com/aquasecurity/kube-bench $GOPATH/bin/dep ensure -vendor-only go build -o kube-bench . # See all supported options ./kube-bench --help # Run the all checks ./kube-bench
kube-bench includes a set of test files for Red Hat’s OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify
--version ocp-3.10 when you run the
kube-bench command (either directly or through YAML). This config version is valid for OCP 3.10 and 3.11.
Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the
Any settings in the version-specific config file
cfg/<version>/config.yaml take precedence over settings in the main
For each type of node (master, node or federated) there is a list of components, and for each component there is a set of binaries (bins) and config files (confs) that kube-bench will look for (in the order they are listed). If your installation uses a different binary name or config file location for a Kubernetes component, you can add it to
There are three output states
The tests are represented as YAML documents (installed by default into ./cfg).
An example is as listed below:
--- controls: id: 1 text: "Master Checks" type: "master" groups: - id: 1.1 text: "Kube-apiserver" checks: - id: 1.1.1 text: "Ensure that the --allow-privileged argument is set (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: bin_op: or test_items: - flag: "--allow-privileged" set: true - flag: "--some-other-flag" set: false remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true
checks in this document) can run on Kubernetes Master, Node or Federated API Servers.
Checks are organized into
groups which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
These groups are further organized under
controls which can be of the type
federated apiserver to reflect the various Kubernetes node types.
If you decide that a recommendation is not appropriate for your environment, you can choose to omit it by editing the test YAML file to give it the check type
skip as in this example:
checks: - id: 2.1.1 text: "Ensure that the --allow-privileged argument is set to false (Scored)" type: "skip" scored: true
No tests will be run for this check and the output will be marked [INFO].
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
The syntax for tests:
tests: - flag: set: compare: op: value: ...
You can also define jsonpath and yamlpath tests using the following syntax:
tests: - path: set: compare: op: value: ...
Tests have various
operations which are used to compare the output of audit commands for success.
These operations are:
eq: tests if the flag value is equal to the compared value.
noteq: tests if the flag value is unequal to the compared value.
gt: tests if the flag value is greater than the compared value.
gte: tests if the flag value is greater than or equal to the compared value.
lt: tests if the flag value is less than the compared value.
lte: tests if the flag value is less than or equal to the compared value.
has: tests if the flag value contains the compared value.
nothave: tests if the flag value does not contain the compared value.
regex: tests if the flag value matches the compared value regular expression.
When defining regular expressions in YAML it is generally easier to wrap them in single quotes, for example
'^[abc]$', to avoid issues with string escaping.
Going forward we plan to release updates to kube-bench to add support for new releases of the Benchmark, which in turn we can anticipate being made for each new Kubernetes release.
We welcome PRs and issue reports.
Our makefile contains targets to test your current version of kube-bench inside a Kind cluster. This can be very handy if you don’t want to run a real kubernetes cluster for development purpose.
First you’ll need to create the cluster using
make kind-test-cluster this will create a new cluster if it cannot be found on your machine. By default the cluster is named
kube-bench but you can change the name by using the environment variable
If kind cannot be found on your system the target will try to install it using
Next you’ll have to build the kube-bench docker image using
make build-docker, then we will be able to push the docker image to the cluster using
Finally we can use the
make kind-run target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit)
Everytime you want to test a change, you’ll need to rebuild the docker image and push it to cluster before running it again. (
make build-docker kind-push kind-run )
If you think you have found a bug please follow the instructions below.
kube-bench version) and the command line options you are using.
oc versionfor Openshift).
-v 10command line option and save the log output. Please paste this into your issue.
We also use the GitHub issue tracker to track feature requests. If you have an idea to make kube-bench even more awesome follow the steps below.
thisand kube-bench does
We welcome pull requests!