Skip to content

nirmata/kube-bench

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits

.github/workflows

.github/workflows

 
 

hack

hack

 
 

kubernetes

kubernetes

 
 

pkg

pkg

 
 

samples

samples

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

sample-result.yaml

sample-result.yaml

 
 

Repository files navigation

kube-bench adapter

The kube-bench adapter runs a CIS benchmark check with a tool called kube-bench and produces a cluster-wide policy report based on the Policy Report Custom Resource Definition

Running

Prerequisites:

  • To run the Kubernetes cluster locally, tools like kind or minikube can be used. Here are the steps to run the kube-bench adapater with a kind cluster.

Steps

Common steps

# 1. Create a Kubernetes cluster
kind create cluster

# 2. Create a CustomResourceDefinition
kubectl create -f kubernetes/crd/v1alpha2/wgpolicyk8s.io_clusterpolicyreports.yaml

Steps to run kube-bench adapter in-cluster as a Cron-Job

# 3. Create Role, Role-Binding and Services
kubectl create -f kubernetes/role.yaml -f kubernetes/rb.yaml -f kubernetes/service.yaml

# 4. Create cron-job
kubectl create -f kubernetes/cron-job.yaml

# 5. Watch the jobs
kubectl get jobs --watch

# 6. Check policyreports created through the custom resource
kubectl get clusterpolicyreports

Steps to run kube-bench adapter from outside a cluster

Building
make build-local
Installing
# Create policy report using
./policyreport -name="kube-bench" -kube-bench-targets="master,node" -kube-bench-benchmark=cis-1.7 -category="CIS Kubernetes Benchmarks"

# Check policyreports created through the custom resource
kubectl get clusterpolicyreports
Command Line Arguments
Argument Type Default value Allowed value Usage
-category string CIS Kubernetes Benchmarks Any string name valid for category category of the policy report
-namespace string default any string name for required namespace specifies namespace where kube-bench job will run
-kube-bench-benchmark string cis-1.7 See CIS Kubernetes Benchmark support specify the benchmark for kube-bench job
-kube-bench-targets string(accepts multiple values) master,node,etcd,policies master, controlplane, node, etcd, policies targets for benchmark of kube-bench job
-kube-bench-version string 1.21 Kubernetes Version like 1.20,1.21,etc specify the Kubernetes version for kube-bench job
-kube-bench-image string aquasec/kube-bench:latest aquasec/kube-bench:(kube-bench-version) kube-bench image used as part of this test
-kubeconfig string $HOME/.kube/config path to your KUBECONFIG absolute path to the kubeconfig file
-name string kube-bench Any name of string type name of policy report

Project Maintenance

Updating the Policy Report CRD

Updating the kube-bench jobs

Notes:

  • Flags -name, -category are user configurable and can be changed by changing the variable on the right hand side.
  • In order to generate policy report in the form of YAML, we can do kubectl get clusterpolicyreports -o yaml > res.yaml which will generate it as res.yaml in this case.

About

Kyverno adapter for CIS Benchmarks

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

6 watching

Forks

0 forks
Report repository

Releases

6 tags

Packages 2

 
 

Contributors 4

  •  
  •  
  •  
  •  

Languages