kube-bench

mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 23:58:06 +00:00

The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.

Go to file

Kiran Bodipi f8fe5ee173 Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523 ) * add Support VMware Tanzu(TKGI) Benchmarks v1.2.53 with this change, we are adding 1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53 2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks. 3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397 * add Support VMware Tanzu(TKGI) Benchmarks v1.2.53 with this change, we are adding 1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53 2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks. 3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397 * release: prepare v0.6.15 (#1455) Signed-off-by: chenk <hen.keinan@gmail.com> * build(deps): bump golang from 1.19.4 to 1.20.4 (#1436) Bumps golang from 1.19.4 to 1.20.4. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/setup-go from 3 to 4 (#1402) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: chenk <hen.keinan@gmail.com> * Fix test_items in cis-1.7 - node - 4.2.12 (#1469) Related issue: https://github.com/aquasecurity/kube-bench/issues/1468 * Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472) * chore: add fips compliant images (#1473) For fips complaince we need to generate fips compliant images. As part of this change, we will create new kube-bench image which will be fips compliant. Image name follows this tag pattern <version>-ubi-fips * release: prepare v0.6.16-rc (#1476) * release: prepare v0.6.16-rc Signed-off-by: chenk <hen.keinan@gmail.com> * release: prepare v0.6.16-rc Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com> * release: prepare v0.6.16 official (#1479) Signed-off-by: chenk <hen.keinan@gmail.com> * Update job.yaml (#1477) * Update job.yaml Fix on typo for image version * chore: sync with upstream Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com> Co-authored-by: chenk <hen.keinan@gmail.com> * release: prepare v0.6.17 (#1480) Signed-off-by: chenk <hen.keinan@gmail.com> * Bump docker base images (#1465) During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE. ``` grype aquasec/kube-bench:v0.6.15 ✔ Vulnerability DB [no update available] ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [73 packages] ✔ Scanning image... [4 vulnerabilities] ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible └── 4 fixed NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High openssl 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High ``` The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly * build(deps): bump golang from 1.20.4 to 1.20.6 (#1475) Bumps golang from 1.20.4 to 1.20.6. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions. * RKE/RKE2 CIS Benchmarks Updated the order of checks for RKE and RKE2 Platforms. * fixed vulnerabilities\|upgraded package golang.org/x/net to version v0.17.0 * Error handling for RKE Detection Pre-requisites * Based on the information furnished in https://ranchermanager.docs.rancher.com/v2.7/pages-for-subheaders/rancher-hardening-guides#hardening-guides-and-benchmark-versions, kube-bench executes CIS-1.23 (Kubernetes v1.23) , CIS-1.24(Kubernetes v1.24),CIS-1.7 (Kubernetes v1.25,v1.26,v1.27) CIS Benchmarks of respective distributions. updated documentation specific to added rancher platforms * addressed review comments 1.Implemented IsRKE functionality in kube-bench 2. Removed containerd from global level config and accommodated in individual config file 3. Corrected the control id from 1.2.25 to 1.2.23 in master.yaml(k3s-cis-1.23 and k3s-cis-1.24) * Removed unncessary dependency - kubernetes-provider-detector --------- Signed-off-by: chenk <hen.keinan@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: chenk <hen.keinan@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andy Pitcher <andy.pitcher@suse.com> Co-authored-by: Devendra Turkar <devendra.turkar@gmail.com> Co-authored-by: Guille Vigil <contact@guillermotti.com> Co-authored-by: Jonas-Taha El Sesiy <jonas-taha.elsesiy@snowflake.com>		2023-11-26 12:27:38 +02:00
.github	build(deps): bump docker/setup-qemu-action from 2 to 3 (#1503 )	2023-10-27 21:35:49 +03:00
cfg	Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523 )	2023-11-26 12:27:38 +02:00
check	replace with constant (#1445 )	2023-05-16 11:41:49 +03:00
cmd	Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523 )	2023-11-26 12:27:38 +02:00
docs	Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523 )	2023-11-26 12:27:38 +02:00
hack	Adding eks-stig-kubernetes-v1r6 (#1266 )	2022-09-14 17:40:48 +03:00
hooks	adds kube-bench version to docker build hook (#524 )	2019-11-27 20:06:42 +00:00
integration/testdata	Adding eks-stig-kubernetes-v1r6 (#1266 )	2022-09-14 17:40:48 +03:00
internal/findings	Migrate to aws-sdk-go-v2 (#1268 )	2022-10-03 08:52:06 +03:00
.gitignore	release: prepare v0.6.7-rc1 (#1136 )	2022-04-03 12:00:08 +03:00
.golangci.yaml	chore(lint): setup golangci-lint (#1144 )	2022-04-05 16:25:45 +03:00
.goreleaser.yml	add darwin builds (#1428 )	2023-04-18 21:15:05 +03:00
.yamllint.yaml	Support Linting YAML as part of Travis CI build (#554 )	2020-01-06 09:18:25 +00:00
codecov.yml	Improve Proxykubeconfig tests (#708 )	2020-10-07 21:53:34 +03:00
CONTRIBUTING.md	Adding eks-stig-kubernetes-v1r6 (#1266 )	2022-09-14 17:40:48 +03:00
Dockerfile	build(deps): bump golang from 1.21.1 to 1.21.3 (#1507 )	2023-11-03 18:33:42 +02:00
Dockerfile.fips.ubi	build(deps): bump golang from 1.21.1 to 1.21.3 (#1507 )	2023-11-03 18:33:42 +02:00
Dockerfile.ubi	build(deps): bump golang from 1.21.1 to 1.21.3 (#1507 )	2023-11-03 18:33:42 +02:00
entrypoint.sh	Set -e to fail fast	2018-05-11 13:44:04 -04:00
fipsonly.go	chore: add fips compliant images (#1473 )	2023-07-24 10:02:19 +03:00
go.mod	Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523 )	2023-11-26 12:27:38 +02:00
go.sum	Add CIS Benchmarks support to Rancher Distributions RKE/RKE2/K3s (#1523 )	2023-11-26 12:27:38 +02:00
job-ack.yaml	fix: fully qualified image names (#1206 )	2022-06-17 18:01:32 +03:00
job-aks.yaml	fix: fully qualified image names (#1206 )	2022-06-17 18:01:32 +03:00
job-eks-asff.yaml	support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449 )	2023-05-21 17:53:58 +03:00
job-eks-stig.yaml	Adding eks-stig-kubernetes-v1r6 (#1266 )	2022-09-14 17:40:48 +03:00
job-eks.yaml	support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449 )	2023-05-21 17:53:58 +03:00
job-gke.yaml	fix: fully qualified image names (#1206 )	2022-06-17 18:01:32 +03:00
job-iks.yaml	fix: fully qualified image names (#1206 )	2022-06-17 18:01:32 +03:00
job-master.yaml	Update job-master.yaml for K8s 1.24.x labels/tolerations (#1250 ) (#1251 )	2022-08-21 09:25:15 +03:00
job-node.yaml	fix: fully qualified image names (#1206 )	2022-06-17 18:01:32 +03:00
job-tkgi.yaml	add support VMware Tanzu(TKGI) Benchmarks v1.2.53 (#1452 )	2023-06-01 16:37:50 +03:00
job.yaml	release: prepare-0.6.19 (#1511 )	2023-10-23 10:03:22 +03:00
LICENSE	Initial commit	2017-06-19 17:01:57 +03:00
main.go	Fix issue #16 about supporting verbosity.	2017-07-07 17:01:30 +00:00
makefile	chore: add fips compliant images (#1473 )	2023-07-24 10:02:19 +03:00
mkdocs.yml	Fixing typos (#899 )	2021-06-09 15:11:05 +03:00
NOTICE	Create NOTICE (#199 )	2019-01-16 10:53:07 +02:00
OWNERS	Create OWNERS	2017-08-11 16:06:44 +01:00
README.md	updates to the readme	2023-10-02 12:39:24 +03:00

README.md

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

CIS Scanning as part of Trivy and the Trivy Operator

Trivy, the all in one cloud native security scanner, can be deployed as a Kubernetes Operator inside a cluster. Both, the Trivy CLI, and the Trivy Operator support CIS Kubernetes Benchmark scanning among several other features.

Quick start

There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...

For more information and different ways to run kube-bench see documentation

Please Note

kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.
There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.

By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

see the following documentation on Running kube-bench for more details.

Contributing

Kindly read Contributing before contributing. We welcome PRs and issue reports.

Roadmap

Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.