Kubernetes is extremely flexible. With this flexibility comes a deal of complexity if you want to setup Kubernetes to run securely. There are literally hundreds of options, so how would you possibly decide what parameters should be tuned to what to secure your Kubernetes cluster?
The CIS Kubernetes Benchmarks
Luckily, you do not have to. The Center for Internet Security has defined a set of best practices they call the CIS Kubernetes Benchmarks. These cover everything from RBAC to Encryption, and check many different aspects of your Kubernetes configuration. Additionally, they have been tuned to work with on-premise as well as managed cloud Kubernetes offerings (though for managed cloud providers, not all of the parameters are within your control).
Nonetheless, these are the established best practices around how to securely run and manage a Kubernetes Cluster.
About Kube Bench
An open source tool called Kube Bench has been created to validate whether your cluster is compliant. This tool connects to your Kubernetes API as an administrator and then runs a battery of automated tests against it, verifying each individual benchmark item. It then provides a report at the end such as the one below that lists every benchmark and whether you were compliant with that benchmark or not.
It can output on the console, in JSON, or in HTML. If you output as JSON or HTML, it can provide you with more details about the individual benchmark item as well as details on fixing the item.
Running Kube Bench
Typically, you run Kube Bench using Docker or as a Kubernetes Job. The key is it needs admin access because it will essentially hit as many Kubernetes APIs as it can.
You can run it against a cluster using the following one-liner…
git clone https://github.com/aquasecurity/kube-bench.git && kubectl apply -f kube-bench/job.yaml
We recommend you review the documentation before running it because there are various different variations of job.yaml available depending on how you have your cluster configured. You may also need to grant it access using a service account, cluster role, and cluster role binding (note: If you are installing using m9sweeper, we have a way to fast-track that with our helm charts).
Integrating with M9sweeper
If you are using M9sweeper, you can find Kube Bench in the left navigation after selecting a cluster. It will walk you through setting up a daily Cron Job.
We recommend running Kube Bench every day and tracking to determine if new issues have been discovered. This is, in effect, an ongoing security assessment for your organization!
Conclusion
The Center for Information Security has done the hard work of figuring out how to securely run Kubernetes. Kube Bench is a wonderful, free tool for comparing your configuration to the established best practices. It is easy to run and even advises on how to secure your cluster.
Stay tuned for more Kubernetes security training!