[Cloud native-K8s] Installation and use of Kubernetes security component CIS benchmark kube-beach

Basic introduction

• In order to ensure the security of clusters and container applications, Kubernetes provides a variety of security mechanisms to limit the behavior of containers, reduce the attack surface of containers and clusters, and ensure the security of the entire system.
• The Center for Internet Security (CIS) is a non-profit organization dedicated to providing free security defense solutions for the Internet.
• Government：https://www.cisecurity.org/
• k8s安全基准：https://www.cisecurity.org/benchmark/kubernetes

kube-beach introduction

• Kube-bench is a tool launched by container security vendor Aquq. It uses the CIS K8s benchmark as a basis to check whether K8s is deployed safely.
• Mainly looking for unsafe configuration parameters, sensitive file permissions, unsafe accounts or exposed ports, etc.
• Open source address:https://github.com/aquasecurity/kube-bench
• Binary package download address:https://github.com/aquasecurity/kube-bench/releases
• Please download the corresponding version according to your needs
  

kube-beach download

Baidu network disk download

Link: https://pan.baidu.com/s/17AGxkwTDUkiDYSSZpPu45A?pwd=vqew
Extraction code: vqew
– from Baidu.com Sharing of Pan Super Member V7

wget download

wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.19/kube-bench_0.6.19_linux_amd64.tar.gz

kube-beach installation

• Unzip

tar -zxf kube-bench_0.6.19_linux_amd64.tar.gz

• Create default configuration path

mkdir -p /etc/kube-bench

• Copy the configuration file to the default directory

mv cfg /etc/kube-bench/cfg

• Set as system command

mv kube-bench /usr/bin/

kube-beach use

Basic parameters

• Use kube-bench run to test. This command has the following common parameters:

• –targets specifies the targets for basic testing. The default configuration targets include: master, controlplane, node, etcd, policies

• –version: Specify the k8s version. If not specified, it will be automatically detected.

• –benchmark: Manually specify the CIS benchmark version, cannot be used with –version

• View help information

kube-bench --help

Interpretation of configuration information

• In this directory /etc/kube-bench/cfg
  
• This version uses cis-1.7 by default
• It also supports the verification benchmarks of other cloud vendors [ack-1.0 Container Service Kubernetes version ACK]

Example

• Check the master component security configuration

kube-bench run --targets=master

Repair suggestions

Fix a security vulnerability【1.2.18】

• Security vulnerability

[FAIL] 1.2.18 Ensure that the --profiling argument is set to false (Automated)

• Repair suggestions

1.2.18 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the below parameter.
--profiling=false

• Edit kube-apiserver.yaml and add --profiling=false
  
• After modification, restart the kube-apiserver static pod.
• Passed security scan
  

Result explanation

• [PASS]: Test passed
• [FAIL]: The test failed, focus on it, and repair suggestions will be given based on the test results.
• [WARN]: Warning, please understand
• [INFO]: Information
• You can carry out actual repair measures based on the actual situation and recommended repair plans.

kube-beach skips vulnerability

• All vulnerabilities scanned by kube-beach do not necessarily need to be repaired. If you need to skip them, we need to modify the vulnerability definition configuration file of kube-beach.

Vulnerability definition

[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)

• Edit master.yaml in the /etc/kube-bench/cfg/cis-1.23 [specific k8s version] directory
• Found 1.4.1 configuration information

- id: 1.4.1
        text: "Ensure that the --profiling argument is set to false (Automated)"
        audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
        tests:
          test_items:
            - flag: "--profiling"
              compare:
                op: eq
                value: false
        remediation: |
          Edit the Scheduler pod specification file $schedulerconf file
          on the control plane node and set the below parameter.
          --profiling=false
        scored: true

Vulnerability definition yaml description

• id: number
• text: Prompt text
• tests: test project
• remediation: repair solution
• scored: If it is true and kube-bench cannot test normally, it will generate FAIL. If it is false and it cannot test normally, it will generate WARN.
• type: If it is manual, WARN will be generated, if it is skip, INFO will be generated.

Vulnerability generated as INFO

• Modified yaml

- id: 1.4.1
        text: "Ensure zhangzihao that the --profiling argument is set to false (Automated)"
        audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
        tests:
          test_items:
            - flag: "--profiling"
              compare:
                op: eq
                value: false
        remediation: |
          Edit the Scheduler pod specification file $schedulerconf file
          on the control plane node and set the below parameter.
          --profiling=false
        scored: true
        type: "skip"