🏷️ Use CIS benchmark to review the security configuration#
Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapiserver, …)
Overview
CIS Benchmarks are globally recognized, community-driven security configuration guidelines developed by the Center for Internet Security (CIS) to help organizations harden their IT systems against cyber threats. They provide prescriptive, step-by-step recommendations for securing a wide range of technologies, including operating systems (like Windows, Linux, macOS), cloud platforms (AWS, Azure, Google Cloud), databases, servers, network devices, mobile devices, and applications.
kube-bench#
Install kube-bench#
curl -sLO https://github.com/aquasecurity/kube-bench/releases/download/v0.15.0/kube-bench_0.15.0_linux_amd64.deb
sudo apt install ./kube-bench_0.15.0_linux_amd64.deb
kube-bench version
0.15.0
kube-bench usage#
See command usefull options.
kube-bench -h | awk '/--(benchmark|targets|check|group|no)/'
--benchmark string Manually specify CIS benchmark version. It would be an error to specify both --version and --benchmark flags
-c, --check string A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"
-g, --group string Run all the checks under this comma-delimited list of groups. Example --group="1.1"
--noremediations Disable printing of remediations section
--noresults Disable printing of results section
--nosummary Disable printing of summary section
--nototals Disable printing of totals for failed, passed, ... checks across all sections
Run one check.
sudo kube-bench run --check 1.2.16 --targets master --nosummary --nototals
[INFO] 1 Control Plane Security Configuration
[INFO] 1.2 API Server
[FAIL] 1.2.16 Ensure that the --audit-log-path argument is set (Automated)
== Remediations master ==
1.2.16 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --audit-log-path parameter to a suitable path and
file where you would like audit logs to be written, for example,
--audit-log-path=/var/log/apiserver/audit.log
Fix the failed check.
root@control-plane-01:~# cp -p /etc/kubernetes/manifests/kube-apiserver.yaml kube-apiserver.yaml.back.$(date +%F_%T|sed 's/[-:]//g')
root@control-plane-01:~# mkdir -p /var/log/kubernetes/apiserver
root@control-plane-01:~# chmod 750 -R /var/log/kubernetes/
root@control-plane-01:~# tree -paug --noreport /var/log/kubernetes/
[drwxr-x--- root root ] /var/log/kubernetes/
└── [drwxr-x--- root root ] apiserver
root@control-plane-01:~# diff -u kube-apiserver.yaml.back.20260318_112409 /etc/kubernetes/manifests/kube-apiserver.yaml
--- kube-apiserver.yaml.back.20260318_112409 2026-03-03 10:48:45.596043003 +0100
+++ /etc/kubernetes/manifests/kube-apiserver.yaml 2026-03-18 11:28:34.950914113 +0100
@@ -39,6 +39,7 @@
- --service-cluster-ip-range=10.96.0.0/16
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
+ - --audit-log-path=/var/log/kubernetes/apiserver/audit.log
image: registry.k8s.io/kube-apiserver:v1.35.2
imagePullPolicy: IfNotPresent
livenessProbe:
Run the same check again.
sudo kube-bench run --check 1.2.16 --targets master --nosummary --nototals
[INFO] 1 Control Plane Security Configuration
[INFO] 1.2 API Server
[PASS] 1.2.16 Ensure that the --audit-log-path argument is set (Automated)
Run a group check (example with apiserver).
sudo kube-bench run --group 1.2 --targets master --nosummary --nototals --noresults
Kubescape#
Install kubescape#
curl -sL https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh -o kubescape_install.sh
bash kubescape_install.sh
[...]
Remember to add the Kubescape CLI to your path with:
$ export PATH=$PATH:/home/guisam/.kubescape/bin
[...]
echo 'export PATH=$PATH:/home/guisam/.kubescape/bin' >> .zshrc
source <(kubescape completion zsh)
kubescape usage#
kubescape list frameworks
kubescape list controls
kubescape scan framework nsa
kubescape scan framework mitre
kubescape scan ./notes-charts
kubescape scan image registry.k8s.io/kube-apiserver:v1.35.2