Aqua Blog

Automating CIS Kubernetes Benchmark Compliance with Starboard Operator

Automating CIS Kubernetes Benchmark Compliance with Starboard Operator

Last year, we first released Starboard Operator, which automates vulnerability scanning and configuration auditing of Kubernetes workloads. We’re now pleased to announce the latest release (v0.10), which is focused on infrastructure and adds CIS Kubernetes Benchmark testing using kube-bench. The operator automatically discovers nodes and runs kube-bench on each node to get the benchmark score. Maintaining high benchmark scores is critical to establish a secure configuration posture of your whole Kubernetes cluster.

Establishing a Secure Configuration Posture

The CIS benchmark for Kubernetes provides prescriptive guidance for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who are responsible for establishing secure configuration for solutions that incorporate Kubernetes.

For example, it is not recommended to use plaintext credentials for authenticating with the Kubernetes API Server that runs on (master) control plane nodes. Therefore, kube-bench will check whether the –basic-auth-file argument is not set for the kube-apiserver process. For remediation, you should configure alternate mechanisms for authentication. Another example of security best practice for worker nodes is to ensure that the –anonymous-auth flag is set to false for the Kubelet server, which would disallow anonymous requests to the Kubelet server.

By default, kube-bench managed by Starboard attempts to auto-detect the running version of Kubernetes and map it to the corresponding CIS Benchmark version. It also identifies the components running on the node and uses this to determine which tests to run. For example, kube-bench will only run the (master) control plane node tests if the node is running the Kubernetes API server.

Below, we’ve embedded a video that shows how the operator automatically schedules a CIS Kubernetes Benchmark test when a new node is added to a cluster. The benchmark reports are persisted in the form of Kubernetes custom resources. From there, the reports can be accessed with the kubectl command, or in Kubernetes IDEs such as Octant or Lens for which we provide extensions.

Going Forward

To further extend infrastructure scanning, we’re planning to integrate Starboard Operator with kube-hunter, our open source penetration testing tool for Kubernetes, and automate hunting for security weaknesses in your Kubernetes clusters.

We’re always looking for feedback from our users – so please give Starboard Operator a try and let us know what you think by joining discussions on GitHub. The operator can be installed with kubectl, Helm, or OLM as explained in the Starboard installation guides. Visit Starboard on Github to learn more about other scanners integrated with Starboard and their configuration settings.

Daniel Pacak
Daniel Pacak is an Open Source Engineer at Aqua Security. He works on Kubernetes and container security related projects, while also taking part in maintaining the CNCF's project, Harbor.