CIS (Center for Internet Security) Kubernetes Benchmark provides security guidelines for configuring Kubernetes clusters to enhance security and compliance.
CIS Kubernetes Benchmark is a set of security best
practices covering:
i) API Server hardening
ii) Secure etcd configuration
iii) RBAC and authentication
iv) Secure networking and pod security
v) Logging and auditing
Two security scans tools.
Regularly scan your cluster using kube-bench or Kubescape.
# tar xvf kube-bench_0.10.4_linux_amd64.tar.gz
# chmod +x kube-bench
# mv kube-bench /usr/local/bin/
# kube-bench --config-dir `pwd`/cfg --config
`pwd`/cfg/config.yaml
Check the Results
After running, it provides:
- PASS:
Configurations following CIS recommendations.
- WARN:
Potential security risks.
- FAIL:
Misconfigurations violating security best practices.
# curl -s
https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh |
/bin/bash
# kubescape scan framework all