Kube-bench
Definition
Kube-bench is an open-source tool that checks whether Kubernetes clusters are configured according to the security best practices defined in the CIS (Center for Internet Security) Kubernetes Benchmark. It automates the process of auditing Kubernetes clusters against these benchmarks, providing detailed reports on compliance and highlighting areas that require remediation to enhance security posture.
Secure Settings Example
# Example of a secure configuration in a Kubernetes PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'persistentVolumeClaim'
Insecure Settings Example
# Example of an insecure configuration in a Kubernetes PodSecurityPolicy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: unrestricted
spec:
privileged: true
allowPrivilegeEscalation: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'