Kube-Bench – CIS Kubernetes Benchmark Assessor

kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Kube-bench - CIS Kubernetes Benchmark Assessor
Kube-bench – CIS Kubernetes Benchmark Assessor

If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config files. kube-bench automatically selects which controls to use based on the detected node type and the version of Kubernetes a cluster is running. This behavior can be overridden by specifying the master or node subcommand and the --version flag on the command line.

The Kubernetes version can also be set with the KUBE_BENCH_VERSION environment variable. The value of --version takes precedence over the value of KUBE_BENCH_VERSION.

You can run kube-bench inside a pod, but it will need access to the host’s PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

Master nodes are automatically detected by kube-bench and will run master checks when possible. The detection is done by verifying that mandatory components for master, as defined in the config files.

There are three output states:

  • [PASS] and [FAIL] indicate that a test was run successfully, and it either passed or failed.
  • [WARN] means this test needs further attention, for example it is a test that needs to be run manually.
  • [INFO] is informational output that needs no further action.

You can read more and download this tool over here: https://github.com/aquasecurity/kube-bench

Notify of
Inline Feedbacks
View all comments