Skip to content

CIS EKS Benchmark con kube-bench

1. Aprendamos que es CIS Kubernetes Benchmark

CIS Kubernetes Benchmark: https://www.cisecurity.org/benchmark/kubernetes/

2. kube-bench

https://github.com/aquasecurity/kube-bench

  • Trabajaremos con la version estable 0.3.1

3. Trabajando con kube-bench

  • Listar los nodos actuales
kubectl get nodes -o wide
  • Ingresaer a 1 nodo con SSM desde la consola de EC2
sh-4.2$ sudo wget https://github.com/aquasecurity/kube-bench/releases/download/v0.3.1/kube-bench_0.3.1_linux_amd64.rpm

Respuesta:

Resolving github.com (github.com)... 140.82.113.3
Connecting to github.com (github.com)|140.82.113.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-releases.githubusercontent.com/94779471/55bb7480-c2e1-11ea-9d1d-513b24984bbd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210612%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210612T195900Z&X-Amz-Expires=300&X-Amz-Signature=ff8c6856e96b32d719394565b8742436d294a1715257637be22293ad7b6f26b4&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=94779471&response-content-disposition=attachment%3B%20filename%3Dkube-bench_0.3.1_linux_amd64.rpm&response-content-type=application%2Foctet-stream [following]
--2021-06-12 19:59:00--  https://github-releases.githubusercontent.com/94779471/55bb7480-c2e1-11ea-9d1d-513b24984bbd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210612%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210612T195900Z&X-Amz-Expires=300&X-Amz-Signature=ff8c6856e96b32d719394565b8742436d294a1715257637be22293ad7b6f26b4&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=94779471&response-content-disposition=attachment%3B%20filename%3Dkube-bench_0.3.1_linux_amd64.rpm&response-content-type=application%2Foctet-stream
Resolving github-releases.githubusercontent.com (github-releases.githubusercontent.com)... 185.199.111.154, 185.199.108.154, 185.199.109.154, ...
Connecting to github-releases.githubusercontent.com (github-releases.githubusercontent.com)|185.199.111.154|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6619503 (6.3M) [application/octet-stream]
Saving to: ‘kube-bench_0.3.1_linux_amd64.rpm’

100%[=================================================================================================================================================================>] 6,619,503   37.4MB/s   in 0.2s

2021-06-12 19:59:01 (37.4 MB/s) - ‘kube-bench_0.3.1_linux_amd64.rpm’ saved [6619503/6619503]
  • Instalamos la version 0.3.1 directo en el nodo que elijamos:
sh-4.2$ sudo rpm -Uvh kube-bench_0.3.1_linux_amd64.rpm

Resultado:

Preparing...                          ################################# [100%]
Updating / installing...
   1:kube-bench-0:0.3.1-1             ################################# [100%]
  • Ejecutamos el assessment con kube-bench:
sh-4.2$ kube-bench --benchmark eks-1.0

Resultado del assessment:

[INFO] 3 Worker Node Security Configuration
[INFO] 3.1 Worker Node Configuration Files
[PASS] 3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
[PASS] 3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[PASS] 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
[PASS] 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[INFO] 3.2 Kubelet
[PASS] 3.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 3.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 3.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
[PASS] 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
[PASS] 3.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
[PASS] 3.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
[PASS] 3.2.8 Ensure that the --hostname-override argument is not set (Scored)
[WARN] 3.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)
[PASS] 3.2.10 Ensure that the --rotate-certificates argument is not set to false (Scored)
[PASS] 3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)

== Remediations ==
3.2.9 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service


== Summary ==
14 checks PASS
0 checks FAIL
1 checks WARN
0 checks INFO
sh-4.2$

4. Revisemos a detalle como evaluamos este resumen:

https://www.aquasec.com/cloud-native-academy/kubernetes-in-production/kubernetes-cis-benchmark-best-practices-in-brief/