Kubernetes Security : Kube-Bench

Updated: Dec 3, 2021

Hello friends, hope you are all doing well. Every one of us likes to be as secure as possible. The same is the case with our Kubernetes cluster. Security is undoubtedly a crucial part of application architecture design. It takes years for a company to build up a solid rapport, but a security breach can destroy it in minutes.

As a DevOps engineer, it's our responsibility to make not only a highly available and reliable application but also an application that should be pretty much secure.

Configuring Kubernetes security is a major task and there are several tools available in the market which will allow us to do so. Here we are going to discuss an open-source tool provided by a company called aqua-sec, which will allow you to know how close your cluster is to security benchmarking, as documented by the Center for Internet Security (CIS)

Kube bench is much more useful in the case of an on-premises Kubernetes setup because the managed Kubernetes providers already are to a great extent compliant to CIS standards.

Let's see how to install and use kube-bench software.

  • We have a 3-node Kubernetes cluster already set up. It is created with kubeadm on Virtualbox.

Login to the master node and execute the below commands to download and install kube-bench.

yum install wget -y 
wget https://github.com/aquasecurity/kube-bench/releases/download/v0.3.0/kube- bench_0.3.0_linux_amd64.tar.gz
gunzip kube-bench_0.3.0_linux_amd64.tar.gz
tar -xvf kube-bench_0.3.0_linux_amd64.tar

Once you extract the tar file, there will be a cfg directory containing all the configurations related to kube-bench in the form of YAML files.

Now first of all login to the master node and execute the below command with the root user.

You will have to execute the same command on all worker nodes as well.

kube-bench is written in golang so it will give directly the executable binary.

./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml master

On worker nodes

./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml node

On executing the above command you will get a large output on the screen showing how many tests passed, how many failed, how many are in a warning state, something like below. From here you can get an idea about your cluster security benchmarking and you can take relevant actions to rectify it.

This was the short and crisp article on kube-bench. Hope your clusters are more secure now. Please do try this on your cluster.


265 views0 comments

Recent Posts

See All