Kubernetes hardening made easy: Running CIS Benchmarks with kube-bench

In today's world, where security risks and breaches are growing daily, it is crucial to maintain our applications and infrastructure's compliance with security standards and that is where CIS benchmarks from CIS (Center for Internet Security) comes in. And with kube-bench, running these checks becomes straightforward, helping you strengthen your Kubernetes clusters with confidence.

CIS Benchmarks

Here is the mission statement from CIS's website.

Our mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.

Ref. https://www.cisecurity.org/ for more details.

It basically helps us to jot down:

• What all best practices/guidelines to use?
• Which tools are available to assist us in scanning our application or infrastructure?
• Making sure the best practices are updated on timely manner.

The benchmarks are basically available for multiple platforms including:

• All the public cloud providers.
• Softwares
• DevSecOps tools
• Mobile devices
• Operating Systems
• and much more.

You can find their extensive list here: https://learn.cisecurity.org/benchmarks

CIS Benchmarks: Download PDF for your platform

For downloading the PDF files you just need to provide some general details about yourself.

Once done, press "Submit" and you will receive an email with the link from where you can download all kinds of benchmarks.

It looks something like this:

Upon pressing "Access PDFs" you will be routed to their extensive list of benchmarks which looks something like this:

You can choose whatever you want to, but since we are interested in Kubernetes as of now, we will scroll down to the Kubernetes section.

And the good part here is, this is not limited to vanilla Kubernetes, we can even download benchmarks for all the Kubernetes flavours like EKS from AWS, AKS from Azure, GKE from Google, etc.

Once you download a specific PDF, you will see it contains a great amount of details including recommendations, problem statement, impact, remediation, etc.

Now, if you have observed the PDF contains thousands of recommendations and going thru them and applying them one by one is a time-consuming task and just imagine you have 100s of clusters. Though I would recommend you to at-least go thru it once and get an idea of what all details it contains and how we can make use of it.

To make our lives easier there are couple of tools which can help us to automate this process and help us to identify where we are lacking. So that we can fix them quickly.

CIS Benchmarks: Tools

There are couple of tools which are managed by CIS itself like CIS-CAT Lite/CIS-CAT Pro/etc. CIS-CAT Lite is a free version and it supports a limited options excluding Kubernetes. CIS-CAT Pro is the one which supports Kubernetes but it is just available for CIS SecureSuite Members.

Ref. https://www.cisecurity.org/cybersecurity-tools for more details about the tools.

Now, let's talk about the good part, the community has given us couple of opensource tools which does the same 😉 the most used one is kube-bench (from Aqua Security).

HOWTO: kube-bench

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

There are multiple ways to run kube-bench

Install it via a package manager

• Download the latest package based on your OS from github releases page and install it.
• Ref: https://github.com/aquasecurity/kube-bench/releases
• Since, I am using Ubuntu, I will use dpkg to get this package installed.

$ wget https://github.com/aquasecurity/kube-bench/releases/download/v0.10.2/kube-bench_0.10.2_linux_amd64.deb
$ sudo dpkg -i kube-bench_0.10.2_linux_amd64.deb
Selecting previously unselected package kube-bench.
(Reading database ... 41333 files and directories currently installed.)
Preparing to unpack kube-bench_0.10.2_linux_amd64.deb ...
Unpacking kube-bench (0.10.2) ...
Setting up kube-bench (0.10.2) ...
$ kube-bench version
0.10.2

Run as a job in the Kubernetes Cluster

• Get the job.yaml from the same github link and deploy it on your cluster.
• Ref: https://github.com/aquasecurity/kube-bench/blob/main/job.yaml
• Based on your platforms there are multiple job*.yaml files available like for EKS, AKS, GKE, etc.

$ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
job.batch/kube-bench created

$ k get pods
NAME               READY   STATUS      RESTARTS   AGE
kube-bench-n22k9   0/1     Completed   0          96s

$ k logs kube-bench-n22k9 | head -n 20
[INFO] 1 Control Plane Security Configuration
[INFO] 1.1 Control Plane Node Configuration Files
[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)

OUTPUT TRIMMED

$ k logs kube-bench-n22k9 | tail -n 20
OUTPUT TRIMMED

5.7.3 Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a
suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker
Containers.

5.7.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.


== Summary policies ==
0 checks PASS
6 checks FAIL
29 checks WARN
0 checks INFO

== Summary total ==
57 checks PASS
19 checks FAIL
54 checks WARN
0 checks INFO

• Just check the logs of the pod for all the recommendations. These logs contain multiple sections for different-different Kubernetes components like Controlplane, ETCD, Worker nodes, etc.
• At the end of each section you can see statistics about the checks and at the end of the logs you will see a quick summary about the total (as mentioned above).

== Summary node ==
14 checks PASS
2 checks FAIL
8 checks WARN
0 checks INFO

Run as a docker container

docker run --rm --net host --pid host --user 0 \
  -v /etc:/etc:ro \
  -v /var:/var:ro \
  -v /usr/bin:/usr/bin:ro \
  -v /usr/lib:/usr/lib:ro \
  aquasec/kube-bench:latest --benchmark cis-1.24

• You can change the version based on your requirement, 1.24 is the latest one.
• More details about the versions can be found here: https://github.com/aquasecurity/kube-bench/tree/main/cfg
• For this as well, just check the logs of the container you will find the same results as we described in earlier section.

This is how the remediation steps look like:

== Remediations master ==
1.1.9 Run the below command (based on the file location on your system) on the control plane node.
For example, chmod 600 <path/to/cni/files>

1.1.11 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'.
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/etcd

1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'.
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd

1.1.19 Run the below command (based on the file location on your system) on the control plane node.
For example,
chown -R root:root /etc/kubernetes/pki/

References:

• https://www.cisecurity.org/
• https://github.com/aquasecurity/kube-bench

Feel free to add your thoughts and experiences, Happy Learning! 😄