DevSecOps - Kubernetes DevOps & Security

Kubernetes Operations and Security

CIS Benchmarking and Kube bench

In this guide, we’ll dive into CIS Benchmarking for Kubernetes and demonstrate how to use Kube-bench to validate your cluster’s security posture. You’ll learn:

  • What the CIS Kubernetes Benchmark covers
  • How to run Kube-bench via Docker or as a standalone binary
  • Techniques for filtering checks and producing JSON output for CI/CD

What Is the CIS Benchmark?

The Center for Internet Security (CIS) publishes CIS Benchmarks, which are consensus-driven best practices for securing various platforms. The CIS Kubernetes Benchmark offers detailed recommendations for locking down a Kubernetes cluster by release version.

For fully managed offerings like GKE or EKS, use the cloud provider–specific benchmarks:

Managed ServiceBenchmark Link
GKECIS GKE Benchmark
EKSCIS EKS Benchmark

These child benchmarks inherit controls from the upstream CIS Kubernetes Benchmark, removing checks you can’t configure and adding provider-specific rules.

In this article, we focus on a kubeadm-provisioned cluster using the upstream CIS Kubernetes Benchmark.

Introducing Kube-bench

Kube-bench is an open-source tool written in Go that scans your Kubernetes nodes against the CIS Benchmark controls. It will output PASS or FAIL for each test, so you can quickly identify misconfigurations.

You can execute Kube-bench in two primary ways:

  1. Docker container
  2. Standalone binary

Note

Always match the --version flag to your Kubernetes release. Mismatched versions may yield incorrect results.


1. Running Kube-bench with Docker

Using Docker is the quickest method since it requires no local installation. Mount your host’s /etc and /var directories so Kube-bench inside the container can read necessary config files.

docker run --rm \
  --pid host \
  -v /etc:/etc:ro \
  -v /var:/var:ro \
  -t aquasec/kube-bench:latest master --version 1.19
OptionDescription
--pid hostGrants the container access to host process information.
-v /etc:/etc:roMounts host /etc in read-only mode (for kubelet and control plane configs).
-v /var:/var:roMounts host /var in read-only mode (for runtime data).
masterRuns checks for the master node. You can also specify node, etcd, scheduler, or controller-manager.
--version 1.19Targets the CIS Benchmark for Kubernetes v1.19.

Warning

Ensure your Docker user has permission to mount /etc and /var. Running as root or with sudo may be required.

Sample Output

1 Master Node Security Configuration
[INFO] 1.1 API Server
[FAIL] 1.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[FAIL] 1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 1.1.4 Ensure that the --insecure-allow-any-token argument is not set (Scored)
…
[FAIL] 1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)

2. Installing and Running the Standalone Binary

If you prefer not to use Docker, download the latest Kube-bench release, extract it, and place the binary in your PATH:

# Download and extract for Linux (amd64)
curl -L https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_$(uname -s)_amd64.tar.gz | tar xz

# Move the executable into your PATH
sudo mv kube-bench /usr/local/bin/

Then run:

kube-bench master --version 1.15

3. Filtering Checks & JSON Output

To focus on specific controls or integrate results into CI/CD workflows, use the --check and --json flags.

Docker Example

docker run --rm \
  --pid host \
  -v /etc:/etc:ro \
  -v /var:/var:ro \
  -t aquasec/kube-bench:latest master \
  --version 1.19 \
  --check 1.2.7,1.2.8,1.2.9 \
  --json

Binary Example

kube-bench master \
  --version 1.15 \
  --check 1.2.7,1.2.8,1.2.9 \
  --json

The resulting JSON can be parsed to enforce compliance gates in your automation pipelines.


Comparison: Docker vs Standalone Binary

AspectDockerStandalone Binary
SetupNo installation requiredRequires download and mv to PATH
IsolationFully containerizedRuns directly on host
VersioningImage tag (e.g., latest)Explicit download of specific release
Use CaseQuick audits, ephemeral scansPersistent, on-host integrations

Watch Video

Watch video content

Previous
Section 4 Topics