arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c97f042be'
${ noResults }
kube-bench/v0.6.15/running/index.html

1098 lines
34 KiB
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.15/running/">
<link rel="prev" href="../platforms/">
<link rel="next" href="../asff/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.15+insiders-4.35.3">
<title>How to run - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.cac7c1ad.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#running-kube-bench" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-color-scheme="default" data-md-component="outdated" hidden>
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
How to run
</span>
</div>
</div>
</div>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Getting Started
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
<span class="md-ellipsis">
Installation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
<span class="md-ellipsis">
Platforms
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
How to run
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
How to run
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#running-kube-bench" class="md-nav__link">
<span class="md-ellipsis">
Running kube-bench
</span>
</a>
<nav class="md-nav" aria-label="Running kube-bench">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#running-inside-a-container" class="md-nav__link">
<span class="md-ellipsis">
Running inside a container
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-kubernetes-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a Kubernetes cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-an-aks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in an AKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-cis-benchmark-in-an-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running CIS benchmark in an EKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-disa-stig-in-an-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running DISA STIG in an EKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-on-openshift" class="md-nav__link">
<span class="md-ellipsis">
Running on OpenShift
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-gke-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a GKE cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-ack-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a ACK cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-vmware-tkgi-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a VMware TKGI cluster
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
<span class="md-ellipsis">
ASFF
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../flags-and-commands/" class="md-nav__link">
<span class="md-ellipsis">
Flags
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Configuration Options
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
<span class="md-ellipsis">
Understanding the yamls
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
<span class="md-ellipsis">
Architecture
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
<span class="md-ellipsis">
Contributing
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#running-kube-bench" class="md-nav__link">
<span class="md-ellipsis">
Running kube-bench
</span>
</a>
<nav class="md-nav" aria-label="Running kube-bench">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#running-inside-a-container" class="md-nav__link">
<span class="md-ellipsis">
Running inside a container
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-kubernetes-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a Kubernetes cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-an-aks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in an AKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-cis-benchmark-in-an-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running CIS benchmark in an EKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-disa-stig-in-an-eks-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running DISA STIG in an EKS cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-on-openshift" class="md-nav__link">
<span class="md-ellipsis">
Running on OpenShift
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-gke-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a GKE cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-ack-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a ACK cluster
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-vmware-tkgi-cluster" class="md-nav__link">
<span class="md-ellipsis">
Running in a VMware TKGI cluster
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>How to run</h1>
<h2 id="running-kube-bench">Running kube-bench</h2>
<p>If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config files.</p>
<p>By default kube-bench attempts to auto-detect the running version of Kubernetes, and map this to the corresponding CIS Benchmark version. For example, Kubernetes version 1.15 is mapped to CIS Benchmark version <code>cis-1.15</code> which is the benchmark version valid for Kubernetes 1.15.</p>
<p>kube-bench also attempts to identify the components running on the node, and uses this to determine which tests to run (for example, only running the master node tests if the node is running an API server). </p>
<p><strong>Please note</strong>
It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.</p>
<h3 id="running-inside-a-container">Running inside a container</h3>
<p>You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the <code>/etc</code> and <code>/var</code> directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions.</p>
<div class="highlight"><pre><span></span><code>docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t docker.io/aquasec/kube-bench:latest --version 1.18
</code></pre></div>
<blockquote>
<p>Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass <code>-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl</code> to resolve this. You will also need to pass in kubeconfig credentials. For example:</p>
</blockquote>
<div class="highlight"><pre><span></span><code>docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest
</code></pre></div>
<p>You can use your own configs by mounting them over the default ones in <code>/opt/kube-bench/cfg/</code></p>
<div class="highlight"><pre><span></span><code>docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config docker.io/aquasec/kube-bench:latest
</code></pre></div>
<h3 id="running-in-a-kubernetes-cluster">Running in a Kubernetes cluster</h3>
<p>You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.</p>
<p>The <code>job.yaml</code> file (available in the root directory of the repository) can be applied to run the tests as a Kubernetes <code>Job</code>. For example:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>job.yaml
job.batch/kube-bench<span class="w"> </span>created
$<span class="w"> </span>kubectl<span class="w"> </span>get<span class="w"> </span>pods
NAME<span class="w"> </span>READY<span class="w"> </span>STATUS<span class="w"> </span>RESTARTS<span class="w"> </span>AGE
kube-bench-j76s9<span class="w"> </span><span class="m">0</span>/1<span class="w"> </span>ContainerCreating<span class="w"> </span><span class="m">0</span><span class="w"> </span>3s
<span class="c1"># Wait for a few seconds for the job to complete</span>
$<span class="w"> </span>kubectl<span class="w"> </span>get<span class="w"> </span>pods
NAME<span class="w"> </span>READY<span class="w"> </span>STATUS<span class="w"> </span>RESTARTS<span class="w"> </span>AGE
kube-bench-j76s9<span class="w"> </span><span class="m">0</span>/1<span class="w"> </span>Completed<span class="w"> </span><span class="m">0</span><span class="w"> </span>11s
<span class="c1"># The results are held in the pod&#39;s logs</span>
kubectl<span class="w"> </span>logs<span class="w"> </span>kube-bench-j76s9
<span class="o">[</span>INFO<span class="o">]</span><span class="w"> </span><span class="m">1</span><span class="w"> </span>Master<span class="w"> </span>Node<span class="w"> </span>Security<span class="w"> </span>Configuration
<span class="o">[</span>INFO<span class="o">]</span><span class="w"> </span><span class="m">1</span>.1<span class="w"> </span>API<span class="w"> </span>Server
...
</code></pre></div>
<p>To run tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec.</p>
<p>The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.</p>
<h3 id="running-in-an-aks-cluster">Running in an AKS cluster</h3>
<ol>
<li>
<p>Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures</p>
</li>
<li>
<p>Use the <a href="https://github.com/kvaps/kubectl-enter">kubectl-enter plugin</a> to shell into a node
<code>kubectl-enter {node-name}</code>
or ssh to one agent node
could open nsg 22 port and assign a public ip for one agent node (only for testing purpose)</p>
</li>
<li>
<p>Run CIS benchmark to view results:
<div class="highlight"><pre><span></span><code>docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
./kube-bench
</code></pre></div>
kube-bench cannot be run on AKS master nodes</p>
</li>
</ol>
<h3 id="running-cis-benchmark-in-an-eks-cluster">Running CIS benchmark in an EKS cluster</h3>
<p>There is a <code>job-eks.yaml</code> file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed</p>
<ol>
<li>To create an EKS Cluster refer to <a href="https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html">Getting Started with Amazon EKS</a> in the <em>Amazon EKS User Guide</em></li>
<li>Information on configuring <code>eksctl</code>, <code>kubectl</code> and the AWS CLI is within</li>
<li>Create an <a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html">Amazon Elastic Container Registry (ECR)</a> repository to host the kube-bench container image
<div class="highlight"><pre><span></span><code>aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
</code></pre></div></li>
<li>Download, build and push the kube-bench container image to your ECR repo
<div class="highlight"><pre><span></span><code>git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region &lt;AWS_REGION&gt; | docker login --username AWS --password-stdin &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com
docker build -t k8s/kube-bench .
docker tag k8s/kube-bench:latest &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest
docker push &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest
</code></pre></div></li>
<li>Copy the URI of your pushed image, the URI format is like this: <code>&lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest</code></li>
<li>Replace the <code>image</code> value in <code>job-eks.yaml</code> with the URI from Step 4</li>
<li>Run the kube-bench job on a Pod in your Cluster: <code>kubectl apply -f job-eks.yaml</code></li>
<li>Find the Pod that was created, it <em>should</em> be in the <code>default</code> namespace: <code>kubectl get pods --all-namespaces</code></li>
<li>Retrieve the value of this Pod and output the report, note the Pod name will vary: <code>kubectl logs kube-bench-&lt;value&gt;</code></li>
<li>You can save the report for later reference: <code>kubectl logs kube-bench-&lt;value&gt; &gt; kube-bench-report.txt</code></li>
</ol>
<h3 id="running-disa-stig-in-an-eks-cluster">Running DISA STIG in an EKS cluster</h3>
<p>There is a <code>job-eks-stig.yaml</code> file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed</p>
<ol>
<li>To create an EKS Cluster refer to <a href="https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html">Getting Started with Amazon EKS</a> in the <em>Amazon EKS User Guide</em></li>
<li>Information on configuring <code>eksctl</code>, <code>kubectl</code> and the AWS CLI is within</li>
<li>Create an <a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html">Amazon Elastic Container Registry (ECR)</a> repository to host the kube-bench container image
<div class="highlight"><pre><span></span><code>aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
</code></pre></div></li>
<li>Download, build and push the kube-bench container image to your ECR repo
<div class="highlight"><pre><span></span><code>git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region &lt;AWS_REGION&gt; | docker login --username AWS --password-stdin &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com
docker build -t k8s/kube-bench .
docker tag k8s/kube-bench:latest &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest
docker push &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest
</code></pre></div></li>
<li>Copy the URI of your pushed image, the URI format is like this: <code>&lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest</code></li>
<li>Replace the <code>image</code> value in <code>job-eks-stig.yaml</code> with the URI from Step 4</li>
<li>Run the kube-bench job on a Pod in your Cluster: <code>kubectl apply -f job-eks-stig.yaml</code></li>
<li>Find the Pod that was created, it <em>should</em> be in the <code>default</code> namespace: <code>kubectl get pods --all-namespaces</code></li>
<li>Retrieve the value of this Pod and output the report, note the Pod name will vary: <code>kubectl logs kube-bench-&lt;value&gt;</code></li>
<li>You can save the report for later reference: <code>kubectl logs kube-bench-&lt;value&gt; &gt; kube-bench-report.txt</code></li>
</ol>
<h3 id="running-on-openshift">Running on OpenShift</h3>
<table>
<thead>
<tr>
<th>OpenShift Hardening Guide</th>
<th>kube-bench config</th>
</tr>
</thead>
<tbody>
<tr>
<td>ocp-3.10 +</td>
<td>rh-0.7</td>
</tr>
<tr>
<td>ocp-4.1 +</td>
<td>rh-1.0</td>
</tr>
</tbody>
</table>
<p>kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify <code>--benchmark rh-07</code>, or <code>--version ocp-3.10</code> or,<code>--version ocp-4.5</code> or <code>--benchmark rh-1.0</code> </p>
<p><code>kube-bench</code> supports auto-detection, when you run the <code>kube-bench</code> command it will autodetect if running in openshift environment.</p>
<p>Since running <code>kube-bench</code> requires elevated privileges, the <code>privileged</code> SecurityContextConstraint needs to be applied to the ServiceAccount used for the <code>Job</code>:</p>
<div class="highlight"><pre><span></span><code>oc create namespace kube-bench
oc adm policy add-scc-to-user privileged --serviceaccount default
oc apply -f job.yaml
</code></pre></div>
<h3 id="running-in-a-gke-cluster">Running in a GKE cluster</h3>
<table>
<thead>
<tr>
<th>CIS Benchmark</th>
<th>Targets</th>
</tr>
</thead>
<tbody>
<tr>
<td>gke-1.0</td>
<td>master, controlplane, node, etcd, policies, managedservices</td>
</tr>
<tr>
<td>gke-1.2.0</td>
<td>master, controlplane, node, policies, managedservices</td>
</tr>
</tbody>
</table>
<p>kube-bench includes benchmarks for GKE. To run this you will need to specify <code>--benchmark gke-1.0</code> or <code>--benchmark gke-1.2.0</code> when you run the <code>kube-bench</code> command.</p>
<p>To run the benchmark as a job in your GKE cluster apply the included <code>job-gke.yaml</code>.</p>
<div class="highlight"><pre><span></span><code>kubectl apply -f job-gke.yaml
</code></pre></div>
<h3 id="running-in-a-ack-cluster">Running in a ACK cluster</h3>
<table>
<thead>
<tr>
<th>CIS Benchmark</th>
<th>Targets</th>
</tr>
</thead>
<tbody>
<tr>
<td>ack-1.0</td>
<td>master, controlplane, node, etcd, policies, managedservices</td>
</tr>
</tbody>
</table>
<p>kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK).
To run this you will need to specify <code>--benchmark ack-1.0</code> when you run the <code>kube-bench</code> command.</p>
<p>To run the benchmark as a job in your ACK cluster apply the included <code>job-ack.yaml</code>.</p>
<div class="highlight"><pre><span></span><code>kubectl apply -f job-ack.yaml
</code></pre></div>
<h3 id="running-in-a-vmware-tkgi-cluster">Running in a VMware TKGI cluster</h3>
<table>
<thead>
<tr>
<th>CIS Benchmark</th>
<th>Targets</th>
</tr>
</thead>
<tbody>
<tr>
<td>tkgi-1.2.53</td>
<td>master, etcd, controlplane, node, policies</td>
</tr>
</tbody>
</table>
<p>kube-bench includes benchmarks for VMware tkgi platform.
To run this you will need to specify <code>--benchmark tkgi-1.2.53</code> when you run the <code>kube-bench</code> command.</p>
<p>To run the benchmark as a job in your VMware tkgi cluster apply the included <code>job-tkgi.yaml</code>.</p>
<div class="highlight"><pre><span></span><code>kubectl apply -f job-tkgi.yaml
</code></pre></div>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "search": "../assets/javascripts/workers/search.6c7302c4.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.10c6cd24.min.js"></script>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink