The Center for Internet Security provides a number of guidelines and benchmark tests for best practices in securing your code. As Michael Cherny recently described, the CIS has recently published a benchmark for Kubernetes, and now we’re pleased to tell you about our new open source implementation of these tests: kube-bench.
It’s written as a Go application (and distributed as a container, of course), but each individual test is defined in a YAML file, which will make it easier to extend and update the test suite as the benchmark evolves along with Kubernetes itself. It also supports JSON-format output, to make it easier to integrate with automated tools.
Like other CIS Benchmark tests you run it on each of your nodes to establish how well your deployment meets the best practice recommendations from the CIS community. Not only do you get information about whether each test passes or fails, but you also get advice on how to remediate any issues that have been detected. This might, for example, include recommendations to change or remove an insecure configuration setting on one of the Kubernetes executables, or to make the permissions on a config file more restrictive.
Example test output from kube-bench
Following the tests defined in the benchmark document, there are different test suites for master and worker nodes, and for nodes in federated deployments.
The kube-bench tool allows you to immediately see if your setup conforms to best practices in key areas, as per the benchmark document, including:
- Proper user authentication and authorization
- Securing data in transit
- Securing data at rest
- Using least privileges
As it’s an open source project, we welcome your feedback and ideas for improvement. We’re also aiming to collaborate with the CIS community to help make the tests themselves more robust and complete as Kubernetes develops.