Open in app

Sign in

Write

Sign in

kube-bench: Enhancing Kubernetes Security-1

Mehmet kanus
Hedgus
Published in
5 min readMay 23, 2024

Introduction to kube-bench

In the world of container orchestration, Kubernetes stands out as the most popular platform, automating the deployment, scaling, and management of containerized applications. However, with its widespread adoption, ensuring the security of Kubernetes clusters has become paramount. This is where kube-bench comes into play.

kube-bench is an open-source tool designed to check whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. The Center for Internet Security (CIS) provides a set of best practices and guidelines for securing Kubernetes clusters, and kube-bench automates the process of auditing your clusters against these standards.

What is kube-bench Used For?

kube-bench is primarily used for:

  • Security Audits: It performs security checks to ensure compliance with the CIS Kubernetes Benchmark.
  • Automated Security Assessments: Regularly running kube-bench can help in identifying security misconfigurations and vulnerabilities in your Kubernetes clusters.
  • Compliance Reporting: It provides detailed reports on the compliance status, helping organizations to meet regulatory and internal security requirements.

Installing kube-bench

You can install kube-bench on any Kubernetes environment, whether it’s provided by a cloud provider (AWS EKS, Azure AKS, GKS, etc.) or created using kubeadm.

Step-1: I will start by setting up two virtual machines on Azure and install kubeadm on them to create a Kubernetes cluster. You can create your Kubernetes cluster in any way you prefer.

Step-2: As you can see, a Kubernetes cluster created with kubeadm is ready. Now, I will deploy a sample application into the cluster.

Step-3: Securing Kubernetes clusters is a critical task for ensuring the safety and integrity of containerized applications. The CIS Kubernetes Benchmark provides a comprehensive set of best practices and guidelines aimed at securing Kubernetes environments. This benchmark is widely recognized and utilized to audit Kubernetes clusters, highlighting key areas where security improvements can be made.

  • After registering, upon confirming the verification link sent to your email, you can download the “CIS Kubernetes Benchmark v1.9.0–03–25–2024” source in PDF format. By referring to the table of contents, you’ll notice that each item serves as a security checklist for your cluster.

Step-4: When you visit the https://github.com/aquasecurity/kube-bench?tab=readme-ov-file link, you will find a manifest file that you can use to deploy kube-bench to your cluster. After installing this file on your cluster, you can view all security vulnerabilities of your entire Kubernetes cluster from the logs of the pod that is created. All FAIL statuses mentioned there will either direct you to the cause and solution of the error from the PDF documentation I provided you above, or clicking on the error will redirect you to a link that explains the cause and solution. There, you can address the security vulnerabilities in your Kubernetes cluster.

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...
  • When we examine the logs of the kube-bench pod above, we can see the security vulnerabilities that are FAIL within the Kubernetes cluster.

Now, you can correct the processes that have FAILED from the kube-bench pod logs by referring to the “CIS BENCHMARK” PDF documentation you downloaded earlier.

  • [FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)

[FAIL] 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)

Conclusion

In conclusion, kube-bench is an essential tool for any Kubernetes administrator aiming to enhance their cluster’s security. By automating the checks defined in the CIS Kubernetes Benchmark, kube-bench provides a comprehensive assessment of your cluster’s security posture. Regularly running kube-bench helps identify potential vulnerabilities and ensures compliance with industry best practices. By addressing the FAILED checks through the detailed guidance provided in the CIS Benchmark documentation, you can significantly strengthen your Kubernetes environment, mitigating risks and safeguarding your containerized applications. Implementing kube-bench as part of your security strategy not only promotes a robust security framework but also fosters confidence in the reliability and safety of your Kubernetes deployments.

For now, I have completed and presented my first article on maintaining and enhancing the security of a Kubernetes cluster. In my upcoming articles, I will cover two more security tools: Trivy and Kubescape. Please like and share my article!

--

--

Mehmet kanus
Hedgus

Written by Mehmet kanus

64 Followers
Editor for

Cloud Architect & DevOps Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams