devopsguide.in

AKS 2- What is kube-bench?

kube-bench is an open-source tool that checks whether your Kubernetes cluster is secure, based on the CIS (Center for Internet Security) Benchmarks.

🧠 Imagine this:

You’ve built a secure house (your Kubernetes cluster). Now, you want to make sure:

  • The doors have strong locks.
  • The windows aren’t left open.
  • The alarm system is working.
  • Only trusted people have keys.

You could check all this manually, but it’s time-consuming and easy to miss something.

It audits your cluster against industry best practices and reports misconfigurations or insecure settings.

Simple Explanation (Layman Terms)

Imagine kube-bench like a security checklist app for your Kubernetes cluster:

  • Is your API server using encryption?
  • Are your kubelets secure?
  • Are permissions set correctly?

kube-bench checks all this — and tells you what’s good and what’s risky.

CIS Benchmarks

The CIS Kubernetes Benchmark is a list of security controls and hardening steps. kube-bench runs these checks on:

  • Control plane (API server, etcd, scheduler, controller-manager)
  • Worker nodes (kubelet)
  • Configuration files (like kube-apiserver.yaml, kubelet.conf, etc.)

How to Use kube-bench

Download

curl -L https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_amd64.tar.gz | tar xz

Run as root

sudo ./kube-bench

Option 2: Run in a Pod (works with AKS, EKS, GKE, etc.)

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml

This creates a Kubernetes Job that runs kube-bench once on the node.

Use with Helm

Install kube-bench with Helm if you’re managing it in GitOps or want flexibility:

Example Output

== Running kube-bench for node ==
[PASS] 1.1.1 Ensure that the –anonymous-auth argument is set to false
[FAIL] 1.1.2 Ensure that the –authorization-mode argument is not set to AlwaysAllow
[WARN] 1.1.3 Ensure that the –client-ca-file argument is set as appropriate

It shows:

  • âś… PASS: Compliant
  • ❌ FAIL: Not compliant
  • ⚠️ WARN: Might be a risk

Best Practices

  • Automate it as part of a weekly scan job
  • Run kube-bench after every major upgrade
  • Combine with tools like Kyverno and Trivy for full security coverage

Combine with Kyverno (Bonus Tip)

You can use kube-bench findings to create Kyverno policies that prevent future misconfigurations.

Example: If kube-bench warns about no CPU limits, use Kyverno to block any pod that doesn’t set limits.

Leave a Reply

Your email address will not be published. Required fields are marked *