Kubernetes CKS exam tips - Kube bench
Published On: 2022/04/20
kube-bench is an opensource go-lang application contributed by aquasecurity to check the secure deployment of the kubernetes. kube-bench implements the CIS Kubernetes Benchmark, so that running the kube-bench command gives us a detailed report on CIS kubernetes best practice recommendations.
Install & Run Kube-Bench
We could install kube-bench different ways such as installing the binary directly in the node or run it as a container.
- Run binary directly in the node
$ wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.6/kube-bench_0.6.6_linux_amd64.tar.gz $ tar -xvf kube-bench_0.6.6_linux_amd64.tar.gz
The configurations to run the test are placed in cfg folder. We could edit the cfg/config.yaml to match our configuration needs.
Since kube-bench needs to access config files of the system, it needs root access to run the test.
- Running inside a container
We could avoid installing kube-bench inside the host machine by running it inside a container using the host PID namespace and mounting /etc and /var directories so that kube-bench could analyze the configuration and other files located in the host machine.
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest
- Running in a Kubernetes cluster
We could run kube-bench inside kubernetes cluster provided it has access to the host’s PID namespace.
$ kubectl apply -f job.yaml
job.batch/kube-bench created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-myk76 0/1 Completed 0 13s
#The results are held in the pod's logs
kubectl logs kube-bench-myk76
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...
To run tests on the master node the pod yaml should have the nodeSelector and toleration configured so that the scheduler could schedule it on the master node.
kube-bench in CKS exam
- Learn the location of kubernetes manifest files and the configuration files related to kubelet.
- Read the kube-bench scan results and the resolutions provided for the failed cases.
- Read the question to make the necessary changes in the kubelet or kubernetes manifest files.
Conclusion
The kube-bench scan result gives status of each CIS benchmark check list items. The recommendations provided in the scan result should be considered and necessary changes should be made in the configuration to reduce the attack surface.