[Kubernetes Operations and Security] CIS Benchmarking and Kube-bench – Follow the best practice security recommendations for your Kubernetes.

Contents

1) CIS Benchmarking

Configuration guidelines for various technology groups to safeguard systems against today’s evolving cyber threats
The Center for Internet Security (CIS) releases benchmarks for best practice security recommendations.

2) Kube-bench

kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Run kube-bench via Docker

docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest  run --targets master --version 1.19 --check 1.2.7,1.2.8,1.2.9 --json | jq .Totals.total_fail

The --check flag in the kube-bench command is used to specify a list of checks that you want to run, rather than running all available checks. Each check in kube-bench is identified by a unique ID, based on the section and recommendation number from the CIS Kubernetes Benchmark.

In your command, --check 1.2.7,1.2.8,1.2.9 means that you want to run only these three specific checks from the kube-bench test suite:

1.2.7 – Ensure that the --enable-admission-plugins argument includes ServiceAccount (Scored)
1.2.8 – Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)
1.2.9 – Ensure that the --authorization-mode argument includes Node (Scored)

By providing a comma-separated list of check IDs, you’re instructing kube-bench to execute only those tests and ignore the rest. This can be helpful when you want to focus on specific recommendations, re-run previously failed tests, or reduce the scope of the assessment for any other reason.

Bạn có thể tham khảo 1.2.x …. là ở trong link tải cuốn sách:
https://www.cisecurity.org/benchmark/kubernetes
hoặc
https://downloads.cisecurity.org