mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2026-03-01 09:10:25 +00:00
Compare commits
52 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
ba437d500a | ||
|
42f4152058 | ||
|
|
8dabb7dc37 | ||
|
|
f2062e81a1 | ||
|
|
528bcfbffe | ||
|
|
3422b9102f | ||
|
|
86b126ad2b | ||
|
|
827945f7fb | ||
|
|
79427e185e | ||
|
|
6b9ceae9d4 | ||
|
|
fbd6eb8ff5 | ||
|
2a9a02f25b | ||
|
|
8021610e46 | ||
|
|
2eef3e8ad2 | ||
|
791fbba9e7 | ||
|
|
f6cab11357 | ||
|
|
9f2899027e | ||
|
|
313fe038f6 | ||
|
|
2d721ed4ad | ||
|
|
799b928054 | ||
|
|
3a662b3ff6 | ||
|
|
f902b30110 | ||
|
|
b52a88214f | ||
|
|
bfdd921f3d | ||
|
af7ad90477 | ||
|
|
ffe7ffb3d3 | ||
|
fd120d0adf | ||
|
|
ba03d8f64b | ||
|
|
21f7902288 | ||
|
|
26e28b8897 | ||
|
|
ae1812b4db | ||
|
|
1534a4aea8 | ||
|
|
28a57ff1a3 | ||
|
|
41fe066039 | ||
|
5ca498cd50 | ||
|
|
e81b785bf8 | ||
|
645d23e1ec | ||
|
|
52d6ac717d | ||
|
|
bdbbe41b69 | ||
|
|
ba9985047c | ||
|
|
5fe702edbe | ||
|
|
6e80b6477a | ||
|
|
e1f5bb1ace | ||
|
|
6d8788071f | ||
|
|
f42243e9b5 | ||
|
|
d004acdbba | ||
|
0a5358665e | ||
|
|
4f40a11e84 | ||
|
b3b3cb819a | ||
|
|
c0f56e966a | ||
|
|
ed7f6cf3fc | ||
|
e083c8f0a3 |
5
NOTICE
Normal file
5
NOTICE
Normal file
@@ -0,0 +1,5 @@
|
||||
kube-bench
|
||||
Copyright 2017-2019 Aqua Security Software Ltd.
|
||||
|
||||
This product includes software developed by Aqua Security (https://aquasec.com).
|
||||
|
||||
43
README.md
43
README.md
@@ -13,7 +13,7 @@ Tests are configured with YAML files, making this tool easy to update as test sp
|
||||
|
||||
## CIS Kubernetes Benchmark support
|
||||
|
||||
kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7, 1.8, and 1.11) as defined in the CIS Benchmarks 1.0.0, 1.1.0, 1.2.0, and 1.30 respectively. It will determine the test set to run based on the Kubernetes version running on the machine.
|
||||
kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7, 1.8, and 1.11) as defined in the CIS Benchmarks 1.0.0, 1.1.0, 1.2.0, and 1.3.0 respectively. It will determine the test set to run based on the Kubernetes version running on the machine.
|
||||
|
||||
## Installation
|
||||
|
||||
@@ -25,36 +25,54 @@ You can choose to
|
||||
|
||||
### Running inside a container
|
||||
|
||||
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace.
|
||||
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions.
|
||||
|
||||
```
|
||||
docker run --pid=host -t aquasec/kube-bench:latest <master|node>
|
||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest <master|node>
|
||||
```
|
||||
|
||||
You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
|
||||
|
||||
```
|
||||
docker run --pid=host -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
|
||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
|
||||
```
|
||||
|
||||
> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
|
||||
|
||||
### Running in a kubernetes cluster
|
||||
Run the master check
|
||||
|
||||
```
|
||||
kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"kubernetes.io/role\": \"master\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.11
|
||||
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
|
||||
|
||||
To run the tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec.
|
||||
|
||||
The supplied `job-node.yaml` and `job-master.yaml` files can be applied to run the tests as a job. For example:
|
||||
|
||||
```bash
|
||||
$ kubectl apply -f job-master.yaml
|
||||
job.batch/kube-bench-master created
|
||||
|
||||
$ kubectl get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
kube-bench-master-j76s9 0/1 ContainerCreating 0 3s
|
||||
|
||||
# Wait for a few seconds for the job to complete
|
||||
$ kubectl get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
kube-bench-master-j76s9 0/1 Completed 0 11s
|
||||
|
||||
# The results are held in the pod's logs
|
||||
k logs kube-bench-master-j76s9
|
||||
[INFO] 1 Master Node Security Configuration
|
||||
[INFO] 1.1 API Server
|
||||
...
|
||||
```
|
||||
|
||||
Run the node check
|
||||
|
||||
```
|
||||
kubectl run --rm -i -t kube-bench-node --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true } }" -- node --version 1.11
|
||||
```
|
||||
The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.
|
||||
|
||||
### Installing from a container
|
||||
|
||||
This command copies the kube-bench binary and configuration files to your host from the Docker container:
|
||||
** binaries compiled for linux-x86-64 only (so they won't run on OSX or Windows) **
|
||||
```
|
||||
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
|
||||
```
|
||||
@@ -81,6 +99,7 @@ go build -o kube-bench .
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file.
|
||||
|
||||
For each type of node (*master*, *node* or *federated*) there is a list of components, and for each component there is a set of binaries (*bins*) and config files (*confs*) that kube-bench will look for (in the order they are listed). If your installation uses a different binary name or config file location for a Kubernetes component, you can add it to `cfg/config.yaml`.
|
||||
|
||||
@@ -179,7 +179,7 @@ groups:
|
||||
Edit the API server pod specification file $apiserverconf
|
||||
on the master node and set the --enable-admission-plugins to
|
||||
include AlwaysPullImages.
|
||||
--enable-admission-plugins...,AlwaysPullImages,...
|
||||
--enable-admission-plugins=...,AlwaysPullImages,...
|
||||
scored: true
|
||||
|
||||
- id: 1.1.12
|
||||
@@ -220,12 +220,15 @@ groups:
|
||||
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--disable-admission-plugins"
|
||||
compare:
|
||||
op: has
|
||||
op: nothave
|
||||
value: "NamespaceLifecycle"
|
||||
set: true
|
||||
- flag: "--disable-admission-plugins"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the API server pod specification file $apiserverconf
|
||||
on the master node and set the --disable-admission-plugins parameter to
|
||||
@@ -496,7 +499,7 @@ groups:
|
||||
remediation: |
|
||||
Edit the API server pod specification file $apiserverconf
|
||||
on the master node and set the below parameter.
|
||||
--tls-cipher- suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM _SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
scored: false
|
||||
|
||||
- id: 1.1.31
|
||||
@@ -607,15 +610,15 @@ groups:
|
||||
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--feature-gates"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AdvancedAuditing=false"
|
||||
set: true
|
||||
- flag: "--audit-policy-file"
|
||||
set: true
|
||||
- flag: "--feature-gates"
|
||||
set: false
|
||||
remediation: |
|
||||
Follow the Kubernetes documentation and set the desired audit policy in the
|
||||
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
|
||||
@@ -1422,7 +1425,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 1.7.5
|
||||
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
||||
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||
|
||||
@@ -164,6 +164,8 @@ groups:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
- flag: "--make-iptables-util-chains"
|
||||
set: false
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
|
||||
If using command line arguments, edit the kubelet service file
|
||||
@@ -309,7 +311,7 @@ groups:
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
|
||||
--tls-cipher- suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM _SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
scored: false
|
||||
|
||||
- id: 2.2
|
||||
|
||||
@@ -44,9 +44,12 @@ func runChecks(nodetype check.NodeType) {
|
||||
file = federatedFile
|
||||
}
|
||||
|
||||
runningVersion, err := getKubeVersion()
|
||||
if err != nil && kubeVersion == "" {
|
||||
exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err))
|
||||
runningVersion := ""
|
||||
if kubeVersion == "" {
|
||||
runningVersion, err = getKubeVersion()
|
||||
if err != nil {
|
||||
exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err))
|
||||
}
|
||||
}
|
||||
path, err := getConfigFilePath(kubeVersion, runningVersion, file)
|
||||
if err != nil {
|
||||
|
||||
38
job-master.yaml
Normal file
38
job-master.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: kube-bench-master
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
hostPID: true
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
containers:
|
||||
- name: kube-bench
|
||||
image: aquasec/kube-bench:latest
|
||||
command: ["kube-bench","master"]
|
||||
volumeMounts:
|
||||
- name: var-lib-etcd
|
||||
mountPath: /var/lib/etcd
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||
# You can omit this mount if you specify --version as part of the command.
|
||||
- name: usr-bin
|
||||
mountPath: /usr/bin
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: var-lib-etcd
|
||||
hostPath:
|
||||
path: "/var/lib/etcd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
||||
- name: usr-bin
|
||||
hostPath:
|
||||
path: "/usr/bin"
|
||||
37
job-node.yaml
Normal file
37
job-node.yaml
Normal file
@@ -0,0 +1,37 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: kube-bench-node
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: kube-bench
|
||||
image: aquasec/kube-bench:latest
|
||||
command: ["kube-bench","node"]
|
||||
volumeMounts:
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||
# You can omit this mount if you specify --version as part of the command.
|
||||
- name: usr-bin
|
||||
mountPath: /usr/bin
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: "/var/lib/kubelet"
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: "/etc/systemd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
||||
- name: usr-bin
|
||||
hostPath:
|
||||
path: "/usr/bin"
|
||||
Reference in New Issue
Block a user