Skip to content

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

License

Notifications You must be signed in to change notification settings

aquasecurity/kube-bench

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

f419b32 · Aug 6, 2024
Jun 29, 2024
Aug 6, 2024
Dec 5, 2023
Jun 26, 2024
Jun 26, 2024
Sep 14, 2022
Nov 27, 2019
Dec 3, 2023
Oct 3, 2022
Apr 3, 2022
Apr 5, 2022
May 22, 2024
Jan 6, 2020
Sep 14, 2022
Jul 4, 2024
Jul 4, 2024
Jul 4, 2024
Jun 19, 2017
Jan 16, 2019
Aug 11, 2017
Oct 2, 2023
Oct 7, 2020
May 11, 2018
Jul 24, 2023
Apr 18, 2024
Apr 18, 2024
Jun 17, 2022
Jun 17, 2022
May 21, 2023
Sep 14, 2022
May 21, 2023
Jun 17, 2022
Jun 17, 2022
Feb 11, 2024
Feb 11, 2024
Jun 1, 2023
Jul 2, 2024
Jul 7, 2017
Jun 26, 2024
Jun 9, 2021

Repository files navigation

GitHub Release Downloads Docker Pulls Go Report Card Build Status License Coverage Status

kube-bench logo

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Kubernetes Bench for Security

CIS Scanning as part of Trivy and the Trivy Operator

Trivy, the all in one cloud native security scanner, can be deployed as a Kubernetes Operator inside a cluster. Both, the Trivy CLI, and the Trivy Operator support CIS Kubernetes Benchmark scanning among several other features.

Quick start

There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...

For more information and different ways to run kube-bench see documentation

Please Note

  1. kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.

  2. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.

By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

Contributing

Kindly read Contributing before contributing. We welcome PRs and issue reports.

Roadmap

Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.