cisecurity.org<\/p><\/div>\n<\/div>\n
Kubernetes CIS benchmarks cover security guidelines & recommendations for the following<\/p>\n
- \n
- Control Plane Components<\/strong>: Control plane node configurations & component recommendations.<\/li>\n
- Worker Nodes:<\/strong> Worker node configurations and Kubelet.<\/li>\n
- Policies: <\/strong>RBAC, service accounts, Pod security standards, CNI and network policies, Secret Management, etc.<\/li>\n<\/ol>\n
The following image shows the example list of CIS guidelines for the Kubernetes API server.<\/p>\n
![\"kube-bench](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-8-44.png\")
Click to view in HD<\/span><\/figcaption><\/figure>\n What is Kube-bench?<\/h2>\n
Kube-bench is an open-source tool to assess the security of Kubernetes clusters by running checks against the Center for Internet Security (CIS) Kubernetes benchmark.<\/a> It was developed in GoLang<\/strong> by Aqua Security<\/a>, a provider of cloud-native security solutions.<\/p>\n
Kube-bench can help with the following.<\/p>\n
- \n
- Cluster hardening:<\/strong> Kube-bench automates the process of checking the cluster configuration as per the security guidelines outlined in CIS benchmarks.<\/li>\n
- Policy Enforcement:<\/strong> Kube-bech checks for RBAC configuration to ensure the necessary least privileges are applied to service accounts, users, etc. it also checks for pod security standards and secret management.<\/li>\n
- Network segmentation:<\/strong> Kube-bench checks for CNI and its support for network policy to ensure that network policies are defined for all namespaces.<\/li>\n<\/ol>\n
When it comes to the use of kube-bench by organizations, a security survey<\/a> conducted by Red Hat found that 24% of the respondents use it.<\/p>\n
![\"Kube-bench](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-2-50.png\")
Image Source: redhat.com<\/span><\/figcaption><\/figure>\n You can run kube-bench checks against a cluster in two ways.<\/p>\n
- \n
- From the command line using kube-bench CLI<\/li>\n
- Run inside a pod<\/li>\n<\/ol>\n
Let’s look at both options.<\/p>\n
Running Kube-bench From Command Line<\/h2>\n
If you are preparing for CKS certification<\/a>, running kube-bench from the command line is one of the important tasks.<\/p>\n
\nNote:<\/strong><\/b> This method will only work if you have access to the control plane node. If you are utilizing a managed Kubernetes service, you can run kube-bench as a pod, as explained in the following section.<\/div>\n<\/div>\nStep 1:<\/strong> Log in to the control plane(master) node and create a kube-bench directory<\/p>\n
sudo mkdir -p \/opt\/kube-bench<\/code><\/pre>\nStep 2: <\/strong>Go to the kube-bench releases<\/a> page and choose the latest Linux binary link.<\/p>\n
curl -L https:\/\/github.com\/aquasecurity\/kube-bench\/releases\/download\/v0.13.0\/kube-bench_0.13.0_linux_amd64.tar.gz -o \/opt\/kube-bench.tar.gz<\/code><\/pre>\nStep 3:<\/strong> Untar the binary to
\/opt\/kube-bench <\/code><\/strong>folder<\/p>\ntar -xvf kube-bench.tar.gz -C \/opt\/kube-bench<\/code><\/pre>\nIf you check the
\/opt\/kube-bench<\/code><\/strong> directory, You will see thekube-bench<\/code><\/strong> executable andcfg<\/code><\/strong> folder that contains the benchmark variations for different versions and versions of managed kubernetes services GKE, EKS, AKS, etc<\/strong> as shown in the following tree structure.<\/p>\nvagrant@master-node:~$ tree\n.\n\u251c\u2500\u2500 cfg\n\u2502 \u251c\u2500\u2500 ack-1.0\n\u2502 \u2502 \u251c\u2500\u2500 config.yaml\n\u2502 \u2502 \u251c\u2500\u2500 controlplane.yaml\n\u2502 \u2502 \u251c\u2500\u2500 etcd.yaml\n\u2502 \u2502 \u251c\u2500\u2500 managedservices.yaml\n\u2502 \u2502 \u251c\u2500\u2500 master.yaml\n\u2502 \u2502 \u251c\u2500\u2500 node.yaml\n\u2502 \u2502 \u2514\u2500\u2500 policies.yaml\n\u2502 \u251c\u2500\u2500 aks-1.0\n\u2502 \u2502 \u251c\u2500\u2500 config.yaml\n\u2502 \u2502 \u251c\u2500\u2500 controlplane.yaml\n\u2502 \u2502 \u251c\u2500\u2500 managedservices.yaml\n\u2502 \u2502 \u251c\u2500\u2500 master.yaml\n\u2502 \u2502 \u251c\u2500\u2500 node.yaml\n\u2502 \u2502 \u2514\u2500\u2500 policies.yaml\n\u2502 \u251c\u2500\u2500 cis-1.6-k3s\n\u2502 \u2502 \u251c\u2500\u2500 config.yaml\n\u2502 \u2502 \u251c\u2500\u2500 controlplane.yaml\n\u2502 \u2502 \u251c\u2500\u2500 etcd.yaml\n\u2502 \u2502 \u251c\u2500\u2500 master.yaml\n\u2502 \u2502 \u251c\u2500\u2500 node.yaml\n\u2502 \u2502 \u2514\u2500\u2500 policies.yaml\n\u2502 \u251c\u2500\u2500 config.yaml\n\u2502 \u251c\u2500\u2500 eks-stig-kubernetes-v1r6\n\u2502 \u2502 \u251c\u2500\u2500 config.yaml\n\u2502 \u2502 \u251c\u2500\u2500 controlplane.yaml\n\u2502 \u2502 \u251c\u2500\u2500 managedservices.yaml\n\u2502 \u2502 \u251c\u2500\u2500 master.yaml\n\u2502 \u2502 \u251c\u2500\u2500 node.yaml\n\u2502 \u2502 \u2514\u2500\u2500 policies.yaml\n\u2502 \u251c\u2500\u2500 gke-1.2.0\n\u2502 \u2502 \u251c\u2500\u2500 config.yaml\n\u2502 \u2502 \u251c\u2500\u2500 controlplane.yaml\n\u2502 \u2502 \u251c\u2500\u2500 managedservices.yaml\n\u2502 \u2502 \u251c\u2500\u2500 master.yaml\n\u2502 \u2502 \u251c\u2500\u2500 node.yaml\n\u2502 \u2502 \u2514\u2500\u2500 policies.yaml\n\u2502 \u2514\u2500\u2500 rh-1.0\n\u2502 \u251c\u2500\u2500 config.yaml\n\u2502 \u251c\u2500\u2500 controlplane.yaml\n\u2502 \u251c\u2500\u2500 etcd.yaml\n\u2502 \u251c\u2500\u2500 master.yaml\n\u2502 \u251c\u2500\u2500 node.yaml\n\u2502 \u2514\u2500\u2500 policies.yaml\n\u251c\u2500\u2500 kube-bench<\/code><\/pre>\nStep 4:<\/strong> Move the kube-bench executable to the
\/usr\/local\/bin<\/code><\/strong> directory that is part of the system PATH<\/p>\nsudo mv \/opt\/kube-bench\/kube-bench \/usr\/local\/bin\/<\/code><\/pre>\nNow you can execute
kube-bench<\/code> from any system location.<\/p>\nStep 4:<\/strong> Let’s run the benchmark checks using kube-bench<\/strong> executable. We will be using the generic config.yaml<\/strong> to run the benchmarks using the following command. You have to run the command as sudo.<\/p>\n
sudo kube-bench --config-dir \/opt\/kube-bench\/cfg --config \/opt\/kube-bench\/cfg\/config.yaml<\/code><\/pre>\nThe above command will run the benchmarks checks and creates the summary of checks, remediation, and summary as shown below.<\/p>\n
# Checks Example\n[INFO] 1 Control Plane Security Configuration\n[INFO] 1.1 Control Plane Node Configuration Files\n[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)\n[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)\n\n# Remediations Example\n== Remediations master ==\n1.1.9 Run the below command (based on the file location on your system) on the control plane node.\nFor example, chmod 600 <path\/to\/cni\/files>\n1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the command 'ps -ef | grep etcd'.\n\n# Summary Example\n== Summary master ==\n41 checks PASS\n9 checks FAIL\n11 checks WARN\n0 checks INFO<\/code><\/pre>\nIf you want the report in a separate file, you can direct the output to a file as shown below.<\/p>\n
sudo kube-bench --config-dir \/opt\/kube-bench\/cfg --config \/opt\/kube-bench\/cfg\/config.yaml > kube-bench.report<\/code><\/pre>\n![\"kube-bench](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-6-41.png\")
Click to view in HD<\/span><\/figcaption><\/figure>\n Installing Kube-bench From Package<\/h3>\n
You can also install and run kube-bench using Linux packages. On the releases page, you will find both
.deb<\/code><\/strong> and.rpm<\/code><\/strong> packages.<\/p>\nFor example, to install on Debian\/Ubuntu systems, you can execute the following commands.<\/p>\n
curl -L https:\/\/github.com\/aquasecurity\/kube-bench\/releases\/download\/v0.13.0\/kube-bench_0.13.0_linux_amd64.deb\n\nsudo dpkg -i kube-bench.deb<\/code><\/pre>\nAfter the installation, you can find the kube-bench cfg folder in the
\/etc\/kube-bench\/<\/code><\/strong> directory.<\/p>\nAlso, you can run the kube-bench checks without providing the config directory parameters as we did in the binary installation. By default,
kube-bench<\/code><\/strong> refers the\/etc\/kube-bench\/cfg<\/code><\/strong> directory.<\/p>\nTo run the checks execute the following command.<\/p>\n
sudo kube-bench<\/code><\/pre>\nRunning Kube-bench In a Pod<\/h2>\n
Another method to run
kube-bench<\/code> <\/strong>is by deploying it as a Kubernetes job<\/strong><\/a> pod<\/strong>. This method is particularly useful for running CIS benchmarks on managed Kubernetes clusters where root access to the control plane or worker nodes is not available.<\/p>\nkubectl apply -f https:\/\/raw.githubusercontent.com\/aquasecurity\/kube-bench\/main\/job.yaml<\/code><\/pre>\nOr if you want to modify the YAML, you can download it to a file and then apply it<\/p>\n
curl https:\/\/raw.githubusercontent.com\/aquasecurity\/kube-bench\/main\/job.yaml > job.yaml<\/code><\/pre>\nkubectl apply -f job.yaml<\/code><\/pre>\nThen kube-bench report will be available in the pod logs. First List the pod<\/p>\n
kubectl get pods<\/code><\/pre>\nNow use the pod name to get the logs. Replace
kube-bench-4j2bs<\/code> with your pod name.<\/p>\nkubectl logs kube-bench-4j2bs<\/code><\/pre>\nYou can also export the kube-bench log to a file<\/p>\n
kubectl logs kube-bench-4j2bs > kube-bench.report<\/code><\/pre>\nKube-bench Possible Errors<\/h2>\n
unable to determine benchmark version: config file is missing 'version_mapping' sectio<\/code><\/pre>\nIf you run the
kube-bench<\/code><\/strong> command without providing the--config-dir<\/code><\/strong> and--config<\/code><\/strong> parameters, you will get the above error.<\/p>\nKube-bench for Managed Kubernetes Clusters (GKE, EKS, AKS etc)<\/h2>\n
If you look at managed Kubernetes services like GKE, EKS, or AKS, you don’t get access to the control plane node to install the kube-bench utility.<\/p>\n
All managed kubernetes services follow the shared responsibility model where the Cloud providers take care of control plane availability and security and the user needs to take care of security in terms of users, policies, etc.<\/p>\n
Also, when you deploy the pod, it gets scheduled on a node and Kube-bench figures out that only kubelet is running on that node and it runs the checks accordingly. Meaning, it runs the tests for worker nodes. If you schedule the pod to be in the control plane, it runs all the checks required for the control plane.<\/p>\n
kube-bench Alternatives<\/h2>\n
If you are looking for open-source alternatives for kube-bench to run CIS benchmarks, you can look at the following two tools.<\/p>\n
- \n
- Checkov<\/li>\n
- KubeScape<\/li>\n<\/ol>\n
Summary<\/h2>\n
Kube-bench helps in verifying that your Kubernetes cluster is configured according to the recommendations from the Center for Internet Security (CIS).<\/p>\n
To comply with the organization’s security policies and audit requirements, you can run kube-bench to check and remediate security issues in the cluster.<\/p>\n
If you are learning kubernetes, check out the comprehensive kubernetes tutorials<\/a>.<\/p>\n
\n
- Policy Enforcement:<\/strong> Kube-bech checks for RBAC configuration to ensure the necessary least privileges are applied to service accounts, users, etc. it also checks for pod security standards and secret management.<\/li>\n
- Worker Nodes:<\/strong> Worker node configurations and Kubelet.<\/li>\n