CIS Benchmarking and Kube bench

In this guide, we’ll dive into CIS Benchmarking for Kubernetes and demonstrate how to use Kube-bench to validate your cluster’s security posture. You’ll learn:

• What the CIS Kubernetes Benchmark covers
• How to run Kube-bench via Docker or as a standalone binary
• Techniques for filtering checks and producing JSON output for CI/CD

What Is the CIS Benchmark?

The Center for Internet Security (CIS) publishes CIS Benchmarks, which are consensus-driven best practices for securing various platforms. The CIS Kubernetes Benchmark offers detailed recommendations for locking down a Kubernetes cluster by release version.

For fully managed offerings like GKE or EKS, use the cloud provider–specific benchmarks:

These child benchmarks inherit controls from the upstream CIS Kubernetes Benchmark, removing checks you can’t configure and adding provider-specific rules.

In this article, we focus on a kubeadm-provisioned cluster using the upstream CIS Kubernetes Benchmark.

Introducing Kube-bench

Kube-bench is an open-source tool written in Go that scans your Kubernetes nodes against the CIS Benchmark controls. It will output PASS or FAIL for each test, so you can quickly identify misconfigurations.

You can execute Kube-bench in two primary ways:

1. Docker container
2. Standalone binary

1. Running Kube-bench with Docker

Using Docker is the quickest method since it requires no local installation. Mount your host’s /etc and /var directories so Kube-bench inside the container can read necessary config files.

docker run --rm \
  --pid host \
  -v /etc:/etc:ro \
  -v /var:/var:ro \
  -t aquasec/kube-bench:latest master --version 1.19

Sample Output

1 Master Node Security Configuration
[INFO] 1.1 API Server
[FAIL] 1.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[FAIL] 1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 1.1.4 Ensure that the --insecure-allow-any-token argument is not set (Scored)
…
[FAIL] 1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)

2. Installing and Running the Standalone Binary

If you prefer not to use Docker, download the latest Kube-bench release, extract it, and place the binary in your PATH:

# Download and extract for Linux (amd64)
curl -L https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_$(uname -s)_amd64.tar.gz | tar xz

# Move the executable into your PATH
sudo mv kube-bench /usr/local/bin/

Then run:

kube-bench master --version 1.15

3. Filtering Checks & JSON Output

To focus on specific controls or integrate results into CI/CD workflows, use the --check and --json flags.

Docker Example

docker run --rm \
  --pid host \
  -v /etc:/etc:ro \
  -v /var:/var:ro \
  -t aquasec/kube-bench:latest master \
  --version 1.19 \
  --check 1.2.7,1.2.8,1.2.9 \
  --json

Binary Example

kube-bench master \
  --version 1.15 \
  --check 1.2.7,1.2.8,1.2.9 \
  --json

The resulting JSON can be parsed to enforce compliance gates in your automation pipelines.

Comparison: Docker vs Standalone Binary

Links and References

• CIS Kubernetes Benchmark
• CIS GKE Benchmark
• CIS EKS Benchmark
• Kube-bench on GitHub
• Kubernetes Documentation
• Docker Hub
• Terraform Registry