How to check Vulnurability in eks cluster using kube-bench

extreme close up photo of codes on screen
Reading Time: 3 minutes

What is kube-bench?

kube-bench is an open-source tool that checks Kubernetes is deployed securely by running and the checks documented in the CIS Kubernetes Benchmark. 

It is a CIS Kubernetes Benchmark tool created by AquaSecurity. kube-bench is written in GO language. 

Here in every section has its own test and provides the solution for the test that fails, warning and providing its summary. In the end, it gives the overall result of the test.

What is CIS?

CIS security is a community-driven and non-profit organization that aims at improving security around the internet. It is the one that creates and updates CIS controls and CIS benchmarks. 

CIS benchmarks for k8s:

CIS Benchmark tests you run on each of your nodes to deploy and meet the best practice recommendations from the CIS community. You not only receive the information about the each check passes or fails but you also receive the summery how to resolve the fail issue found.

for example, include recommendations to change or remove an insecure configuration setting on the Kubernetes cluster. 

The kube-bench tool allows you to immediately see if your setup confirms best practices, as per the benchmark document, including

  • Proper user authentication.
  • Secure data transfer (moving data one end to other ends).
  • Secure data at rest.
  • using the least privileges.

How to run Kube-bench?

There are two ways.

  1. Run kube-bench using K8s job and cron job. 
  2. Run a container that install kube-bench on the node, and run kube-bench directly on the node host.

Using EKS k8s job:

You can run this job for the EKS cluster using kubectl command line. You can check the logs after the job cpmpleted. The logs provided you all the summery and result of the current eks cluster vulnurability test.

kubectl get po
kubectl logs kube-bench-2rxm6

Install kube-bench on node, and run directly on the node.

we will install kube-bench in one of the nodes and run the CIS EKS Benchmark node on the against eks-1.0.1 node controls.

kubectl get nodes -o wide
  • SSH into the nodes
  • Download kube-bench on node(latest version) using this command:
KUBEBENCH_URL=$(curl -s | jq -r '.assets[] | select(.name | contains("amd64.rpm")) | .browser_download_url')
  • Install kube bench

The kube-bench latest version is install on your EKS cluster node, After that use the this commnad to start the node scanning.

kube-bench --benchmark eks-1.0.1

The output is:

In the end it provide overall result in the form of summery(total no. of pass, total warning and the last total fail).