Convert Figma logo to code with AI

aquasecurity logokube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

7,006
1,217
7,006
71
View on GitHub

Top Related Projects

falcosecurity's avatar

falco

7,328

Cloud Native Runtime Security

open-policy-agent's avatar

gatekeeper

3,612

🐊 Gatekeeper - Policy Controller for Kubernetes

controlplaneio's avatar

kubesec

1,224

Security risk analysis for Kubernetes resources

kubesphere's avatar

kubesphere

14,974

The container platform tailored for Kubernetes multi-cloud, datacenter, and edge management ⎈ 🖥 ☁️

stackrox's avatar

stackrox

1,099

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.

Quick Overview

Kube-bench is an open-source tool designed to check whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. It helps administrators and security professionals ensure their Kubernetes clusters adhere to security best practices and industry standards.

Pros

  • Automated security checks based on CIS Kubernetes Benchmark
  • Supports multiple Kubernetes versions and deployment types
  • Generates detailed reports with remediation suggestions
  • Easily integrable into CI/CD pipelines for continuous security monitoring

Cons

  • May require additional configuration for custom Kubernetes setups
  • Some checks may not be applicable to all environments
  • False positives can occur, requiring manual verification
  • Regular updates needed to keep up with evolving Kubernetes versions and security standards

Getting Started

To run kube-bench on your Kubernetes cluster:

  1. Install kube-bench:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
  1. View the results:
kubectl logs -f job.kube-bench
  1. For local installation on Linux:
curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.10/kube-bench_0.6.10_linux_amd64.tar.gz -o kube-bench_0.6.10_linux_amd64.tar.gz
tar -xvf kube-bench_0.6.10_linux_amd64.tar.gz
./kube-bench

Note: Replace v0.6.10 with the latest version available.

Competitor Comparisons

falcosecurity logo

falco

7,328

Cloud Native Runtime Security

Pros of Falco

  • Real-time threat detection and alerting for runtime security
  • Broader scope, monitoring system calls and container activities
  • Highly customizable rules engine for detecting complex behaviors

Cons of Falco

  • Higher resource overhead due to continuous monitoring
  • Steeper learning curve for writing custom rules
  • Requires kernel module or eBPF probe for deep system visibility

Code Comparison

Falco rule example:

- rule: Unauthorized Process
  desc: Detect unauthorized process execution
  condition: proc.name in (unauthorized_procs)
  output: "Unauthorized process started (user=%user.name command=%proc.cmdline)"
  priority: WARNING

Kube-bench check example:

- id: 1.2.1
  text: "Ensure that the --anonymous-auth argument is set to false"
  audit: "ps -ef | grep kube-apiserver | grep -v grep"
  tests:
    test_items:
    - flag: "--anonymous-auth"
      compare:
        op: eq
        value: false
  remediation: "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set --anonymous-auth=false"

While Kube-bench focuses on static configuration checks against CIS benchmarks, Falco provides dynamic runtime security monitoring with a flexible rule system. Kube-bench is more specialized for Kubernetes security audits, while Falco offers broader system-wide security monitoring capabilities.

open-policy-agent logo

gatekeeper

3,612

🐊 Gatekeeper - Policy Controller for Kubernetes

Pros of Gatekeeper

  • Provides dynamic policy enforcement for Kubernetes clusters
  • Supports custom policies using Rego language
  • Integrates with Kubernetes admission controllers for real-time policy checks

Cons of Gatekeeper

  • Steeper learning curve due to Rego language and OPA concepts
  • Requires more setup and configuration compared to Kube-bench
  • May introduce performance overhead in large-scale deployments

Code Comparison

Kube-bench (YAML configuration):

checks:
  - id: 1.1.1
    text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive"
    audit: "stat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml"
    tests:
      test_items:
        - flag: "644"
          compare:
            op: le
            value: "644"
    remediation: "chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"

Gatekeeper (Rego policy):

package kubernetes.admissioncontrol

deny[msg] {
  input.request.kind.kind == "Pod"
  container := input.request.object.spec.containers[_]
  not container.securityContext.runAsNonRoot

  msg := sprintf("Container %v must not run as root", [container.name])
}
controlplaneio logo

kubesec

1,224

Security risk analysis for Kubernetes resources

Pros of kubesec

  • Focuses on Kubernetes manifest security, providing a more specialized analysis
  • Offers both a CLI tool and a web interface for easy accessibility
  • Provides a risk score and detailed explanations for each security issue found

Cons of kubesec

  • Less comprehensive coverage compared to kube-bench, which checks the entire Kubernetes cluster
  • May require more manual interpretation of results, as it doesn't directly map to specific benchmarks or standards

Code Comparison

kube-bench:

controls:
- id: 1
  text: "Control Plane Security Configuration"
  checks:
    - id: 1.1
      text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive"
      audit: "stat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml"
      tests:
        bin_op: or
        test_items:
        - flag: "644"
        - flag: "640"
        - flag: "600"
      remediation: "Run the following command:\nchmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml"

kubesec:

---
apiVersion: v1
kind: Pod
metadata:
  name: kubesec-demo
spec:
  containers:
  - name: kubesec-demo
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 10001
kubesphere logo

kubesphere

14,974

The container platform tailored for Kubernetes multi-cloud, datacenter, and edge management ⎈ 🖥 ☁️

Pros of KubeSphere

  • Comprehensive enterprise-grade container platform with a user-friendly web console
  • Provides multi-tenant management, DevOps automation, and microservices governance
  • Offers a broader set of features beyond security auditing, including monitoring and logging

Cons of KubeSphere

  • More complex setup and resource-intensive compared to kube-bench
  • Steeper learning curve due to its extensive feature set
  • May be overkill for users only seeking Kubernetes security auditing

Code Comparison

kube-bench:

controls:
- id: 1
  text: "Control Plane Components"
  checks:
    - id: 1.1
      text: "Master Node Configuration Files"
      tests:
        - bin: "test"
          check: "-e"
          arg: "/etc/kubernetes/manifests/kube-apiserver.yaml"

KubeSphere:

apiVersion: installer.kubesphere.io/v1alpha1
kind: ClusterConfiguration
metadata:
  name: ks-installer
  namespace: kubesphere-system
  labels:
    version: v3.3.0
spec:
  persistence:
    storageClass: ""
  authentication:
    jwtSecret: ""

While kube-bench focuses on security checks, KubeSphere's configuration encompasses a wider range of platform features.

stackrox logo

stackrox

1,099

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.

Pros of StackRox

  • Comprehensive security platform covering multiple aspects of container and Kubernetes security
  • Provides real-time threat detection and response capabilities
  • Offers a user-friendly interface for easier management and visualization

Cons of StackRox

  • More complex setup and configuration compared to Kube-bench
  • Requires more resources to run due to its broader feature set
  • May have a steeper learning curve for new users

Code Comparison

StackRox (Go):

func (s *Scanner) ScanImage(ctx context.Context, image string) (*storage.Image, error) {
    // Implementation for scanning container images
}

Kube-bench (Go):

func runChecks(nodetype check.NodeType, kubeCnfFile string) error {
    // Implementation for running Kubernetes benchmark checks
}

While both projects are written in Go, StackRox focuses on broader security scanning and monitoring, whereas Kube-bench specifically targets Kubernetes security benchmark checks. StackRox's codebase is likely more extensive due to its wider range of features.

StackRox offers a more comprehensive security solution for Kubernetes environments, including runtime security and compliance monitoring. Kube-bench, on the other hand, is a specialized tool for running CIS Kubernetes Benchmark tests, making it simpler to use but more limited in scope.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

GitHub Release Downloads Docker Pulls Go Report Card Build Status License Coverage Status

kube-bench logo

kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Kubernetes Bench for Security

CIS Scanning as part of Trivy and the Trivy Operator

Trivy, the all in one cloud native security scanner, can be deployed as a Kubernetes Operator inside a cluster. Both, the Trivy CLI, and the Trivy Operator support CIS Kubernetes Benchmark scanning among several other features.

Quick start

There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

The supplied job.yaml file can be applied to run the tests as a job. For example:

$ kubectl apply -f job.yaml
job.batch/kube-bench created

$ kubectl get pods
NAME                      READY   STATUS              RESTARTS   AGE
kube-bench-j76s9   0/1     ContainerCreating   0          3s

# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME                      READY   STATUS      RESTARTS   AGE
kube-bench-j76s9   0/1     Completed   0          11s

# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...

For more information and different ways to run kube-bench see documentation

Please Note

  1. kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.

  2. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.

By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.

Contributing

Kindly read Contributing before contributing. We welcome PRs and issue reports.

Roadmap

Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.