In this guide, we’ll dive into CIS Benchmarking for Kubernetes and demonstrate how to use Kube-bench to validate your cluster’s security posture. You’ll learn:Documentation Index
Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
Use this file to discover all available pages before exploring further.
- What the CIS Kubernetes Benchmark covers
- How to run Kube-bench via Docker or as a standalone binary
- Techniques for filtering checks and producing JSON output for CI/CD
What Is the CIS Benchmark?
The Center for Internet Security (CIS) publishes CIS Benchmarks, which are consensus-driven best practices for securing various platforms. The CIS Kubernetes Benchmark offers detailed recommendations for locking down a Kubernetes cluster by release version. For fully managed offerings like GKE or EKS, use the cloud provider–specific benchmarks:| Managed Service | Benchmark Link |
|---|---|
| GKE | CIS GKE Benchmark |
| EKS | CIS EKS Benchmark |
Introducing Kube-bench
Kube-bench is an open-source tool written in Go that scans your Kubernetes nodes against the CIS Benchmark controls. It will outputPASS or FAIL for each test, so you can quickly identify misconfigurations.
You can execute Kube-bench in two primary ways:
- Docker container
- Standalone binary
Always match the
--version flag to your Kubernetes release. Mismatched versions may yield incorrect results.1. Running Kube-bench with Docker
Using Docker is the quickest method since it requires no local installation. Mount your host’s/etc and /var directories so Kube-bench inside the container can read necessary config files.
| Option | Description |
|---|---|
--pid host | Grants the container access to host process information. |
-v /etc:/etc:ro | Mounts host /etc in read-only mode (for kubelet and control plane configs). |
-v /var:/var:ro | Mounts host /var in read-only mode (for runtime data). |
master | Runs checks for the master node. You can also specify node, etcd, scheduler, or controller-manager. |
--version 1.19 | Targets the CIS Benchmark for Kubernetes v1.19. |
Ensure your Docker user has permission to mount
/etc and /var. Running as root or with sudo may be required.Sample Output
2. Installing and Running the Standalone Binary
If you prefer not to use Docker, download the latest Kube-bench release, extract it, and place the binary in yourPATH:
3. Filtering Checks & JSON Output
To focus on specific controls or integrate results into CI/CD workflows, use the--check and --json flags.
Docker Example
Binary Example
Comparison: Docker vs Standalone Binary
| Aspect | Docker | Standalone Binary |
|---|---|---|
| Setup | No installation required | Requires download and mv to PATH |
| Isolation | Fully containerized | Runs directly on host |
| Versioning | Image tag (e.g., latest) | Explicit download of specific release |
| Use Case | Quick audits, ephemeral scans | Persistent, on-host integrations |
Links and References
- CIS Kubernetes Benchmark
- CIS GKE Benchmark
- CIS EKS Benchmark
- Kube-bench on GitHub
- Kubernetes Documentation
- Docker Hub
- Terraform Registry