arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c97f042be'
${ noResults }
kube-bench/v0.6.15/search/search_index.json

1 line
47 KiB
Raw Normal View History Unescape

Deployed 76c25b2 to v0.6.15 with MkDocs 1.4.3 and mike 1.1.2
1 year ago
{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"],"fields":{"title":{"boost":1000.0},"text":{"boost":1.0},"tags":{"boost":1000000.0}}},"docs":[{"location":"","title":"Overview","text":""},{"location":"#kube-bench","title":"Kube-bench","text":"<p>kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.</p> <p>Tests are configured with YAML files, making this tool easy to update as test specifications evolve.</p> <ol> <li> <p>kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.</p> </li> <li> <p>There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.</p> </li> <li> <p>It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.</p> </li> </ol> <p>For help and more information go to our github discussions q&amp;a</p>"},{"location":"architecture/","title":"Architecture","text":""},{"location":"architecture/#test-config-yaml-representation","title":"Test config YAML representation","text":"<p>The tests (or \"controls\") are maintained in YAML documents. There are different versions of these test YAML files reflecting different versions and platforms of the CIS Kubernetes Benchmark. You will find more information about the test file YAML definitions in our controls documentation.</p>"},{"location":"architecture/#kube-bench-benchmarks","title":"Kube-bench benchmarks","text":"<p>The test files for the various versions of Benchmarks can be found in directories with same name as the Benchmark versions under the <code>cfg</code> directory next to the kube-bench executable, for example <code>./cfg/cis-1.5</code> will contain all test files for CIS Kubernetes Benchmark v1.5.1 which are: master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml </p> <p>Check the contents of the benchmark directory under <code>cfg</code> to see which targets are available for that benchmark. Each file except <code>config.yaml</code> represents a target (also known as a <code>control</code> in other parts of this documentation). </p> <p>The following table shows the valid targets based on the CIS Benchmark version.</p> CIS Benchmark Targets cis-1.5 master, controlplane, node, etcd, policies cis-1.6 master, controlplane, node, etcd, policies cis-1.20 master, controlplane, node, etcd, policies cis-1.23 master, controlplane, node, etcd, policies cis-1.24 master, controlplane, node, etcd, policies cis-1.7 master, controlplane, node, etcd, policies gke-1.0 master, controlplane, node, etcd, policies, managedservices gke-1.2.0 controlplane, node, policies, managedservices eks-1.0.1 controlplane, node, policies, managedservices eks-1.1.0 controlplane, node, policies, managedservices eks-1.2.0 controlplane, node, policies, managedservices ack-1.0 master, controlplane, node, etcd, policies, managedservices aks-1.0 controlplane, node, policies, managedservices rh-0.7 master,node rh-1.0 master, controlplane, node, etcd, policies cis-1.6-k3s master, controlplane, node, etcd, policies <p>The following table shows the valid DISA STIG versions</p> STIG Targets eks-stig-kubernetes-v1r6 master, controlplane, node, policies, managedservices"},{"location":"asff/","title":"Integrating kube-bench with AWS Security Hub","text":"<p>You can configure kube-bench with the <code>--asff</code> to send findings to AWS Security Hub. There are some additional steps required so that kube-bench has information and permission