mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-19 14:48:07 +00:00
537 lines
17 KiB
HTML
537 lines
17 KiB
HTML
|
|
||
|
<!doctype html>
|
||
|
<html lang="en" class="no-js">
|
||
|
<head>
|
||
|
|
||
|
<meta charset="utf-8">
|
||
|
<meta name="viewport" content="width=device-width,initial-scale=1">
|
||
|
|
||
|
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/dev/">
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<link rel="icon" href="assets/images/favicon.png">
|
||
|
<meta name="generator" content="mkdocs-1.2, mkdocs-material-7.1.7+insiders-2.9.2">
|
||
|
|
||
|
|
||
|
|
||
|
<title>Kube-bench</title>
|
||
|
|
||
|
|
||
|
|
||
|
<link rel="stylesheet" href="assets/stylesheets/main.92048cb8.min.css">
|
||
|
|
||
|
|
||
|
<link rel="stylesheet" href="assets/stylesheets/palette.73e53a79.min.css">
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
|
||
|
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
|
||
|
<style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
</head>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
|
||
|
|
||
|
|
||
|
<script>function __scope(t,e="."){return new URL(e,location).pathname+"."+t}function __get(t,e=localStorage,n){return JSON.parse(e.getItem(__scope(t,n)))}function __set(t,e,n=localStorage,o){try{n.setItem(__scope(t,o),JSON.stringify(e))}catch(t){}}</script>
|
||
|
|
||
|
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
|
||
|
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
|
||
|
<label class="md-overlay" for="__drawer"></label>
|
||
|
<div data-md-component="skip">
|
||
|
|
||
|
|
||
|
<a href="#kube-bench" class="md-skip">
|
||
|
Skip to content
|
||
|
</a>
|
||
|
|
||
|
</div>
|
||
|
<div data-md-component="announce">
|
||
|
|
||
|
</div>
|
||
|
|
||
|
<div data-md-component="outdated" hidden>
|
||
|
<aside class="md-banner md-banner--warning">
|
||
|
|
||
|
</aside>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<header class="md-header" data-md-component="header">
|
||
|
<nav class="md-header__inner md-grid" aria-label="Header">
|
||
|
<a href="." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
|
||
|
|
||
|
<img src="images/kube-bench-logo-only.png" alt="logo">
|
||
|
|
||
|
</a>
|
||
|
<label class="md-header__button md-icon" for="__drawer">
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
|
||
|
</label>
|
||
|
<div class="md-header__title" data-md-component="header-title">
|
||
|
<div class="md-header__ellipsis">
|
||
|
<div class="md-header__topic">
|
||
|
<span class="md-ellipsis">
|
||
|
Kube-bench
|
||
|
</span>
|
||
|
</div>
|
||
|
<div class="md-header__topic" data-md-component="header-topic">
|
||
|
<span class="md-ellipsis">
|
||
|
|
||
|
Overview
|
||
|
|
||
|
</span>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
|
||
|
<label class="md-header__button md-icon" for="__search">
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
|
||
|
</label>
|
||
|
|
||
|
<div class="md-search" data-md-component="search" role="dialog">
|
||
|
<label class="md-search__overlay" for="__search"></label>
|
||
|
<div class="md-search__inner" role="search">
|
||
|
<form class="md-search__form" name="search">
|
||
|
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
|
||
|
<label class="md-search__icon md-icon" for="__search">
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
|
||
|
</label>
|
||
|
<nav class="md-search__options" aria-label="Search">
|
||
|
|
||
|
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
|
||
|
</button>
|
||
|
</nav>
|
||
|
|
||
|
</form>
|
||
|
<div class="md-search__output">
|
||
|
<div class="md-search__scrollwrap" data-md-scrollfix>
|
||
|
<div class="md-search-result" data-md-component="search-result">
|
||
|
<div class="md-search-result__meta">
|
||
|
Initializing search
|
||
|
</div>
|
||
|
<ol class="md-search-result__list"></ol>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
<div class="md-header__source">
|
||
|
|
||
|
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
|
||
|
<div class="md-source__icon md-icon">
|
||
|
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
|
||
|
</div>
|
||
|
<div class="md-source__repository">
|
||
|
GitHub
|
||
|
</div>
|
||
|
</a>
|
||
|
</div>
|
||
|
|
||
|
</nav>
|
||
|
|
||
|
</header>
|
||
|
|
||
|
<div class="md-container" data-md-component="container">
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<main class="md-main" data-md-component="main">
|
||
|
<div class="md-main__inner md-grid">
|
||
|
|
||
|
|
||
|
|
||
|
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
|
||
|
<div class="md-sidebar__scrollwrap">
|
||
|
<div class="md-sidebar__inner">
|
||
|
|
||
|
|
||
|
|
||
|
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
|
||
|
<label class="md-nav__title" for="__drawer">
|
||
|
<a href="." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
|
||
|
|
||
|
<img src="images/kube-bench-logo-only.png" alt="logo">
|
||
|
|
||
|
</a>
|
||
|
Kube-bench
|
||
|
</label>
|
||
|
|
||
|
<div class="md-nav__source">
|
||
|
|
||
|
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
|
||
|
<div class="md-source__icon md-icon">
|
||
|
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
|
||
|
</div>
|
||
|
<div class="md-source__repository">
|
||
|
GitHub
|
||
|
</div>
|
||
|
</a>
|
||
|
</div>
|
||
|
|
||
|
<ul class="md-nav__list" data-md-scrollfix>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item md-nav__item--active">
|
||
|
|
||
|
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<a href="." class="md-nav__link md-nav__link--active">
|
||
|
Overview
|
||
|
</a>
|
||
|
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item md-nav__item--nested">
|
||
|
|
||
|
|
||
|
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<label class="md-nav__link" for="__nav_2">
|
||
|
Getting Started
|
||
|
<span class="md-nav__icon md-icon"></span>
|
||
|
</label>
|
||
|
|
||
|
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
|
||
|
<label class="md-nav__title" for="__nav_2">
|
||
|
<span class="md-nav__icon md-icon"></span>
|
||
|
Getting Started
|
||
|
</label>
|
||
|
<ul class="md-nav__list" data-md-scrollfix>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="Installation.md" class="md-nav__link">
|
||
|
Installation
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="Platforms.md" class="md-nav__link">
|
||
|
Platforms
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="Running.md" class="md-nav__link">
|
||
|
How to run
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="asff/" class="md-nav__link">
|
||
|
ASFF
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
</ul>
|
||
|
</nav>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="Flags_and_commands.md" class="md-nav__link">
|
||
|
Flags
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item md-nav__item--nested">
|
||
|
|
||
|
|
||
|
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<label class="md-nav__link" for="__nav_4">
|
||
|
Configuration Options
|
||
|
<span class="md-nav__icon md-icon"></span>
|
||
|
</label>
|
||
|
|
||
|
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
|
||
|
<label class="md-nav__title" for="__nav_4">
|
||
|
<span class="md-nav__icon md-icon"></span>
|
||
|
Configuration Options
|
||
|
</label>
|
||
|
<ul class="md-nav__list" data-md-scrollfix>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="Controls.md" class="md-nav__link">
|
||
|
Understanding the yamls
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="Architecture.md" class="md-nav__link">
|
||
|
Architecture
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
</ul>
|
||
|
</nav>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<li class="md-nav__item">
|
||
|
<a href="Contributing.md" class="md-nav__link">
|
||
|
Contributing
|
||
|
</a>
|
||
|
</li>
|
||
|
|
||
|
|
||
|
|
||
|
</ul>
|
||
|
</nav>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
|
||
|
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
|
||
|
<div class="md-sidebar__scrollwrap">
|
||
|
<div class="md-sidebar__inner">
|
||
|
|
||
|
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
</nav>
|
||
|
</div>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
|
||
|
<div class="md-content" data-md-component="content">
|
||
|
<article class="md-content__inner md-typeset">
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
<p><img alt="Kube-bench Logo" src="images/kube-bench.jpg" />
|
||
|
<a href="https://github.com/aquasecurity/kube-bench/releases"><img alt="GitHub Release" src="https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github" /></a>
|
||
|
<img alt="Downloads" src="https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github" />
|
||
|
<img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench" />
|
||
|
[<img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/aquasecurity/kube-bench" />]<a href="https://goreportcard.com/report/github.com/aquasecurity/kube-bench">report-card</a>
|
||
|
<a href="https://github.com/aquasecurity/kube-bench/actions"><img alt="Build Status" src="https://github.com/aquasecurity/kube-bench/workflows/Build/badge.svg?branch=main" /></a>
|
||
|
<a href="https://github.com/aquasecurity/kube-bench/blob/main/LICENSE"><img alt="License" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg" /></a>
|
||
|
<a href="https://microbadger.com/images/aquasec/kube-bench" title="Get your own image badge on microbadger.com"><img alt="Docker image" src="https://images.microbadger.com/badges/image/aquasec/kube-bench.svg" /></a>
|
||
|
<a href="https://microbadger.com/images/aquasec/kube-bench"><img alt="Source commit" src="https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg" /></a>
|
||
|
<a href="https://codecov.io/github/aquasecurity/kube-bench"><img alt="Coverage Status" src="https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg" /></a></p>
|
||
|
<h1 id="kube-bench">Kube-bench</h1>
|
||
|
<p>kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the <a href="https://www.cisecurity.org/benchmark/kubernetes/">CIS Kubernetes Benchmark</a>.</p>
|
||
|
<p>Tests are configured with YAML files, making this tool easy to update as test specifications evolve.</p>
|
||
|
<ol>
|
||
|
<li>
|
||
|
<p>kube-bench implements the <a href="https://www.cisecurity.org/benchmark/kubernetes/">CIS Kubernetes Benchmark</a> as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the <a href="https://cisecurity.org">CIS community</a>.</p>
|
||
|
</li>
|
||
|
<li>
|
||
|
<p>There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See <a href="#cis-kubernetes-benchmark-support">CIS Kubernetes Benchmark support</a> to see which releases of Kubernetes are covered by different releases of the benchmark.</p>
|
||
|
</li>
|
||
|
<li>
|
||
|
<p>It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.</p>
|
||
|
</li>
|
||
|
</ol>
|
||
|
<p>For help and more information go to our <a href="https://github.com/aquasecurity/kube-bench/discussions/categories/q-a">github discussions q&a</a></p>
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
</article>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
</main>
|
||
|
|
||
|
|
||
|
<footer class="md-footer">
|
||
|
|
||
|
<nav class="md-footer__inner md-grid" aria-label="Footer">
|
||
|
|
||
|
|
||
|
|
||
|
<a href="asff/" class="md-footer__link md-footer__link--next" aria-label="Next: ASFF" rel="next">
|
||
|
<div class="md-footer__title">
|
||
|
<div class="md-ellipsis">
|
||
|
<span class="md-footer__direction">
|
||
|
Next
|
||
|
</span>
|
||
|
ASFF
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="md-footer__button md-icon">
|
||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
|
||
|
</div>
|
||
|
</a>
|
||
|
|
||
|
</nav>
|
||
|
|
||
|
<div class="md-footer-meta md-typeset">
|
||
|
<div class="md-footer-meta__inner md-grid">
|
||
|
<div class="md-footer-copyright">
|
||
|
|
||
|
|
||
|
|
||
|
</div>
|
||
|
|
||
|
</div>
|
||
|
</div>
|
||
|
</footer>
|
||
|
|
||
|
</div>
|
||
|
<div class="md-dialog" data-md-component="dialog">
|
||
|
<div class="md-dialog__inner md-typeset"></div>
|
||
|
</div>
|
||
|
<script id="__config" type="application/json">{"base": ".", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "assets/javascripts/workers/search.df8cae7d.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
|
||
|
|
||
|
|
||
|
<script src="assets/javascripts/bundle.82217815.min.js"></script>
|
||
|
|
||
|
|
||
|
</body>
|
||
|
</html>
|