1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-18 12:48:08 +00:00
The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.
Go to file
Andy Pitcher 7027b6b2ec
Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617)
* Create cis-1.9 yamls and Update info
      - policies.yaml
          - 5.1.1 to 5.1.6 were adapted from Manual to Automated
          - 5.1.3 got broken down into 5.1.3.1 and 5.1.3.2
          - 5.1.6 got broken down into 5.1.6.1 and 5.1.6.2
          - version was set to cis-1.9
       - node.yaml master.yaml controlplane.yaml etcd.yaml
          - version was set to cis-1.9

* Adapt master.yaml
    - Expand 1.1.13/1.1.14 checks by adding super-admin.conf to the permission and ownership verification
    - Remove 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
    - Adjust numbering from 1.2.12 to 1.2.29

* Adjust policies.yaml
   - Check 5.2.3 to 5.2.9 Title Automated to Manual

* Append node.yaml
   - Create 4.3 kube-config group
   - Create 4.3.1 Ensure that the kube-proxy metrics service is bound to localhost (Automated)

* Adjust policies 5.1.3 and 5.1.6

   - Merge 5.1.3.1 and 5.1.3.2 into 5.1.3 (use role_is_compliant and clusterrole_is_compliant)
   - Remove 5.1.6.1 and promote 5.1.6.2 to 5.1.6 since it natively covered 5.1.6.1 artifacts

* Add kubectl dependency and update publish
   - Download kubectl (build stage) based on version and architecture
   - Add binary checksum verification
   - Use go env GOARCH for ARCH
2024-06-26 15:53:57 +03:00
.github Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
cfg Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
check chore: remove refs to deprecated io/ioutil (#1504) 2023-12-05 10:52:24 +02:00
cmd Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
docs Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
hack Adding eks-stig-kubernetes-v1r6 (#1266) 2022-09-14 17:40:48 +03:00
hooks adds kube-bench version to docker build hook (#524) 2019-11-27 20:06:42 +00:00
integration/testdata fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528) 2023-12-03 09:06:35 +02:00
internal/findings Migrate to aws-sdk-go-v2 (#1268) 2022-10-03 08:52:06 +03:00
.gitignore release: prepare v0.6.7-rc1 (#1136) 2022-04-03 12:00:08 +03:00
.golangci.yaml chore(lint): setup golangci-lint (#1144) 2022-04-05 16:25:45 +03:00
.goreleaser.yml Statically link binaries and remove debug information (#1615) 2024-05-22 08:37:36 +03:00
.yamllint.yaml Support Linting YAML as part of Travis CI build (#554) 2020-01-06 09:18:25 +00:00
codecov.yml Improve Proxykubeconfig tests (#708) 2020-10-07 21:53:34 +03:00
CONTRIBUTING.md Adding eks-stig-kubernetes-v1r6 (#1266) 2022-09-14 17:40:48 +03:00
Dockerfile Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
Dockerfile.fips.ubi Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
Dockerfile.ubi Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
entrypoint.sh Set -e to fail fast 2018-05-11 13:44:04 -04:00
fipsonly.go chore: add fips compliant images (#1473) 2023-07-24 10:02:19 +03:00
go.mod build(deps): bump k8s.io/client-go from 0.29.1 to 0.29.3 (#1587) 2024-04-18 09:54:55 +03:00
go.sum build(deps): bump k8s.io/client-go from 0.29.1 to 0.29.3 (#1587) 2024-04-18 09:54:55 +03:00
job-ack.yaml fix: fully qualified image names (#1206) 2022-06-17 18:01:32 +03:00
job-aks.yaml fix: fully qualified image names (#1206) 2022-06-17 18:01:32 +03:00
job-eks-asff.yaml support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449) 2023-05-21 17:53:58 +03:00
job-eks-stig.yaml Adding eks-stig-kubernetes-v1r6 (#1266) 2022-09-14 17:40:48 +03:00
job-eks.yaml support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449) 2023-05-21 17:53:58 +03:00
job-gke.yaml fix: fully qualified image names (#1206) 2022-06-17 18:01:32 +03:00
job-iks.yaml fix: fully qualified image names (#1206) 2022-06-17 18:01:32 +03:00
job-master.yaml job.yaml: Adding /var/lib/cni mounts for proper CIS 1.1.9 and 1.1.0 checking (#1547) 2024-02-11 11:23:17 +02:00
job-node.yaml job.yaml: Adding /var/lib/cni mounts for proper CIS 1.1.9 and 1.1.0 checking (#1547) 2024-02-11 11:23:17 +02:00
job-tkgi.yaml add support VMware Tanzu(TKGI) Benchmarks v1.2.53 (#1452) 2023-06-01 16:37:50 +03:00
job.yaml release: prepare-v0.7.3 (#1599) 2024-04-18 09:58:44 +03:00
LICENSE Initial commit 2017-06-19 17:01:57 +03:00
main.go Fix issue #16 about supporting verbosity. 2017-07-07 17:01:30 +00:00
makefile Add CIS kubernetes CIS-1.9 for k8s v1.27 - v1.29 (#1617) 2024-06-26 15:53:57 +03:00
mkdocs.yml Fixing typos (#899) 2021-06-09 15:11:05 +03:00
NOTICE Create NOTICE (#199) 2019-01-16 10:53:07 +02:00
OWNERS Create OWNERS 2017-08-11 16:06:44 +01:00
README.md updates to the readme 2023-10-02 12:39:24 +03:00

GitHub Release Downloads Docker Pulls Go Report Card Build Status License Coverage Status

kube-bench logo

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Kubernetes Bench for Security

CIS Scanning as part of Trivy and the Trivy Operator

Trivy, the all in one cloud native security scanner, can be deployed as a Kubernetes Operator inside a cluster. Both, the Trivy CLI, and the Trivy Operator support CIS Kubernetes Benchmark scanning among several other features.

Quick start

There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...

For more information and different ways to run kube-bench see documentation

Please Note

  1. kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.

  2. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.

By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

Contributing

Kindly read Contributing before contributing. We welcome PRs and issue reports.

Roadmap

Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.