kube-bench

The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.

Vai al file

dependabot[bot] 947ac102ad build(deps): bump golang.org/x/net from 0.19.0 to 0.23.0 Bumps [golang.org/x/net](https://github.com/golang/net) from 0.19.0 to 0.23.0. - [Commits](https://github.com/golang/net/compare/v0.19.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>		4 giorni fa
.github	build(deps): bump golangci/golangci-lint-action from 3 to 4 (#1568 )	2 mesi fa
cfg	Currently, certain commands involve retrieving all node names or pods and then executing additional commands in a loop, resulting in a time complexity linearly proportional to the number of nodes. (#1597 )	5 giorni fa
check	chore: remove refs to deprecated io/ioutil (#1504 )	5 mesi fa
cmd	chore: remove refs to deprecated io/ioutil (#1504 )	5 mesi fa
docs	support CIS Kubernetes Benchmark v1.8.0 (#1527 )	5 mesi fa
hack	Adding eks-stig-kubernetes-v1r6 (#1266 )	2 anni fa
hooks	adds kube-bench version to docker build hook (#524 )	4 anni fa
integration/testdata	fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528 )	5 mesi fa
internal/findings	Migrate to aws-sdk-go-v2 (#1268 )	2 anni fa
.gitignore	release: prepare v0.6.7-rc1 (#1136 )	2 anni fa
.golangci.yaml	chore(lint): setup golangci-lint (#1144 )	2 anni fa
.goreleaser.yml	add darwin builds (#1428 )	1 anno fa
.yamllint.yaml	Support Linting YAML as part of Travis CI build (#554 )	4 anni fa
CONTRIBUTING.md	Adding eks-stig-kubernetes-v1r6 (#1266 )	2 anni fa
Dockerfile	build(deps): bump golang from 1.22.0 to 1.22.1 (#1583 )	4 settimane fa
Dockerfile.fips.ubi	build(deps): bump golang from 1.22.0 to 1.22.1 (#1583 )	4 settimane fa
Dockerfile.ubi	build(deps): bump golang from 1.22.0 to 1.22.1 (#1583 )	4 settimane fa
LICENSE	Initial commit	7 anni fa
NOTICE	Create NOTICE (#199 )	5 anni fa
OWNERS	Create OWNERS	7 anni fa
README.md	updates to the readme	7 mesi fa
codecov.yml	Improve Proxykubeconfig tests (#708 )	4 anni fa
entrypoint.sh	Set -e to fail fast	6 anni fa
fipsonly.go	chore: add fips compliant images (#1473 )	9 mesi fa
go.mod	build(deps): bump golang.org/x/net from 0.19.0 to 0.23.0	4 giorni fa
go.sum	build(deps): bump golang.org/x/net from 0.19.0 to 0.23.0	4 giorni fa
job-ack.yaml	fix: fully qualified image names (#1206 )	2 anni fa
job-aks.yaml	fix: fully qualified image names (#1206 )	2 anni fa
job-eks-asff.yaml	support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449 )	11 mesi fa
job-eks-stig.yaml	Adding eks-stig-kubernetes-v1r6 (#1266 )	2 anni fa
job-eks.yaml	support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (#1449 )	11 mesi fa
job-gke.yaml	fix: fully qualified image names (#1206 )	2 anni fa
job-iks.yaml	fix: fully qualified image names (#1206 )	2 anni fa
job-master.yaml	job.yaml: Adding /var/lib/cni mounts for proper CIS 1.1.9 and 1.1.0 checking (#1547 )	2 mesi fa
job-node.yaml	job.yaml: Adding /var/lib/cni mounts for proper CIS 1.1.9 and 1.1.0 checking (#1547 )	2 mesi fa
job-tkgi.yaml	add support VMware Tanzu(TKGI) Benchmarks v1.2.53 (#1452 )	11 mesi fa
job.yaml	release: prepare-v0.7.3 (#1599 )	5 giorni fa
main.go	Fix issue #16 about supporting verbosity.	7 anni fa
makefile	chore: add fips compliant images (#1473 )	9 mesi fa
mkdocs.yml	Fixing typos (#899 )	3 anni fa

README.md

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

CIS Scanning as part of Trivy and the Trivy Operator

Trivy, the all in one cloud native security scanner, can be deployed as a Kubernetes Operator inside a cluster. Both, the Trivy CLI, and the Trivy Operator support CIS Kubernetes Benchmark scanning among several other features.

Quick start

There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...

For more information and different ways to run kube-bench see documentation

Please Note

kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.
There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.

By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

see the following documentation on Running kube-bench for more details.

Contributing

Kindly read Contributing before contributing. We welcome PRs and issue reports.

Roadmap

Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.