Benchmarking a cluster's security configuration
The Center for Internet Security (CIS) released a benchmark of Kubernetes that can be used by cluster administrators to ensure that the cluster follows the recommended security configuration. The published Kubernetes benchmark is more than 200 pages.
kube-bench is an automated tool written in Go and published by Aqua Security that runs tests documented in the CIS benchmark. The tests are written in YAML Ain't Markup Language (YAML), making it easy to evolve.
kube-bench can be run on a node directly using the kube-bench binary, as follows:
$kube-bench node --benchmark cis-1.4
For clusters hosted on gke, eks, and aks, kube-bench is run as a pod. Once the pod finishes running, you can look at the logs to see the results, as illustrated in the following code block:
$ kubectl apply -f job-gke.yaml $ kubectl get pods NAMEÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â READY...
