Hello friends , hope you are all doing good. Everyone of us like to be as much secure as possible. Same is the case with our kubernetes cluster. Security is undoubtedly a crucial part of application architecture design. It takes years for a company to build up a solid rapport but a security breach can destroy it minutes.
As a devops engineer, it's our responsibility to make not only a highly available and reliable application but also the application should be pretty much secure.
Configuring kubernetes security is a major task and there are number of tools available in the market which will allow us to do so. Here we are going to discuss an open-source tool provided by a company called aqua-sec which will allow you to know how close your cluster is close to security bench marking as documented by Center for Internet Security (CIS)
Kube bench is much more useful in case of an on-premises kubernetes setup because the managed kubernetes providers already are to a great extent compliant to CIS standards.
Let's see how to install and use kube-bench software.
We have a 3 node kubernetes cluster already setup. It is created with kubeadm on Virtual Box.
Login to the master node and execute the below commands to download and install kube-bench
yum install wget -y wget https://github.com/aquasecurity/kube-bench/releases/download/v0.3.0/kube- bench_0.3.0_linux_amd64.tar.gz gunzip kube-bench_0.3.0_linux_amd64.tar.gz tar -xvf kube-bench_0.3.0_linux_amd64.tar
Once you extract the tar file, there will be a cfg directory containing all the configuration related to kube-bench in the form of yaml files.
Now first of all login to master node and execute the below command with root user.
You will have to execute the same command on all worker nodes as well.
kube-bench is written in golang so it will give directly the executable binary.
./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml master
On worker nodes
./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml node
On executing the above command you will get a large output on screen showing how many tests passed, how many failed , how many are in warning state , something like below. From here you can get an idea about your cluster security bench marking and you can take relevant actions to rectify it.
This was short and crisp article on kube-bench . Hope your clusters would be more secure now. Please do try this on your cluster.