Basic introduction
- In order to ensure the security of clusters and container applications, Kubernetes provides a variety of security mechanisms to limit the behavior of containers, reduce the attack surface of containers and clusters, and ensure the security of the entire system.
- The Center for Internet Security (CIS) is a non-profit organization dedicated to providing free security defense solutions for the Internet.
- Government:https://www.cisecurity.org/
- k8s安全基准:https://www.cisecurity.org/benchmark/kubernetes
kube-beach introduction
- Kube-bench is a tool launched by container security vendor Aquq. It uses the CIS K8s benchmark as a basis to check whether K8s is deployed safely.
- Mainly looking for unsafe configuration parameters, sensitive file permissions, unsafe accounts or exposed ports, etc.
- Open source address:https://github.com/aquasecurity/kube-bench
- Binary package download address:https://github.com/aquasecurity/kube-bench/releases
- Please download the corresponding version according to your needs
kube-beach download
Baidu network disk download
Link: https://pan.baidu.com/s/17AGxkwTDUkiDYSSZpPu45A?pwd=vqew
Extraction code: vqew
– from Baidu.com Sharing of Pan Super Member V7
wget download
wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.19/kube-bench_0.6.19_linux_amd64.tar.gz
kube-beach installation
- Unzip
tar -zxf kube-bench_0.6.19_linux_amd64.tar.gz
- Create default configuration path
mkdir -p /etc/kube-bench
- Copy the configuration file to the default directory
mv cfg /etc/kube-bench/cfg
- Set as system command
mv kube-bench /usr/bin/
kube-beach use
Basic parameters
-
Use kube-bench run to test. This command has the following common parameters:
-
–targets specifies the targets for basic testing. The default configuration targets include: master, controlplane, node, etcd, policies
-
–version: Specify the k8s version. If not specified, it will be automatically detected.
-
–benchmark: Manually specify the CIS benchmark version, cannot be used with –version
-
View help information
kube-bench --help
Interpretation of configuration information
- In this directory /etc/kube-bench/cfg
- This version uses cis-1.7 by default
- It also supports the verification benchmarks of other cloud vendors [ack-1.0 Container Service Kubernetes version ACK]
Example
- Check the master component security configuration
kube-bench run --targets=master
Repair suggestions
Fix a security vulnerability【1.2.18】
- Security vulnerability
[FAIL] 1.2.18 Ensure that the --profiling argument is set to false (Automated)
- Repair suggestions
1.2.18 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the below parameter.
--profiling=false
- Edit kube-apiserver.yaml and add --profiling=false
- After modification, restart the kube-apiserver static pod.
- Passed security scan
Result explanation
- [PASS]: Test passed
- [FAIL]: The test failed, focus on it, and repair suggestions will be given based on the test results.
- [WARN]: Warning, please understand
- [INFO]: Information
- You can carry out actual repair measures based on the actual situation and recommended repair plans.
kube-beach skips vulnerability
- All vulnerabilities scanned by kube-beach do not necessarily need to be repaired. If you need to skip them, we need to modify the vulnerability definition configuration file of kube-beach.
Vulnerability definition
[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
- Edit master.yaml in the /etc/kube-bench/cfg/cis-1.23 [specific k8s version] directory
- Found 1.4.1 configuration information
- id: 1.4.1
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the Scheduler pod specification file $schedulerconf file
on the control plane node and set the below parameter.
--profiling=false
scored: true
Vulnerability definition yaml description
- id: number
- text: Prompt text
- tests: test project
- remediation: repair solution
- scored: If it is true and kube-bench cannot test normally, it will generate FAIL. If it is false and it cannot test normally, it will generate WARN.
- type: If it is manual, WARN will be generated, if it is skip, INFO will be generated.
Vulnerability generated as INFO
- Modified yaml
- id: 1.4.1
text: "Ensure zhangzihao that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the Scheduler pod specification file $schedulerconf file
on the control plane node and set the below parameter.
--profiling=false
scored: true
type: "skip"