Skip to main content
In this lesson, we’ll use kube-bench to run the CIS Kubernetes Benchmark tests against your cluster. We’ll cover:
  • Overview of the CIS Benchmark PDF
  • Manual Kubelet anonymous-auth check
  • Installing and running kube-bench
  • Parsing JSON output with jq
  • CI/CD integration with Jenkins

CIS Kubernetes Benchmark PDF

Download the official CIS Kubernetes Benchmark from the CIS website:
CIS Kubernetes Benchmark requires an email to access the PDF.
The PDF contains ~270 pages of guidelines, organized by test IDs per component. For instance, 4.2.1 in Worker Node Security Configuration verifies --anonymous-auth=false.
The image shows a webpage for CIS Benchmarks focused on securing Kubernetes, offering a download link for the latest security guidelines. It includes a brief description and links to additional resources and community information.
After downloading, open the PDF to review sections such as Terms of Use, Overview, and Recommendations.
The image shows a computer screen displaying a PDF document titled "CIS Kubernetes Benchmark v1.6.0" with a table of contents visible. The document appears to be open in a PDF viewer, and the table of contents lists sections such as Terms of Use, Overview, and Recommendations.

Manual Check: Kubelet Anonymous Auth

On a kubeadm-provisioned node, verify the running Kubelet process and its config file: 
# Identify the kubelet process
ps -ef | grep kubelet

# Display the Kubelet configuration
cat /var/lib/kubelet/config.yaml
In config.yaml, confirm anonymous auth is disabled: 
authentication:
  anonymous:
    enabled: false
If anonymous auth is set to true, update the YAML, then reload and restart the service:
sudo systemctl daemon-reload
sudo systemctl restart kubelet

Installing kube-bench

kube-bench on GitHub is a Go-based tool from Aqua Security that automates CIS checks. To install on Ubuntu:
The image shows a GitHub page for the "kube-bench" project, which is a Go application for checking Kubernetes security compliance. It includes details like release version, downloads, and a brief description of the tool.
# Download the latest .deb package (version may vary)
curl -L -O https://github.com/aquasecurity/kube-bench/releases/download/v0.3.1/kube-bench_0.3.1_linux_amd64.deb

# Install kube-bench
sudo apt install ./kube-bench_0.3.1_linux_amd64.deb -y

Running kube-bench

Execute all CIS checks (master, node, etcd, control plane): 
kube-bench
Example summary: 
== Summary ==
   42 checks PASS
    3 checks FAIL
   24 checks WARN
    0 checks INFO
The image shows a terminal window displaying a security configuration summary for a Kubernetes worker node, with various checks marked as PASS, FAIL, or WARN. The interface appears to be from a remote connection tool, with a sidebar listing files and directories.
You can target specific components:
ComponentCommandDescription
Allkube-benchRun all CIS checks
Masterkube-bench masterValidate control plane configurations
Nodekube-bench nodeInspect worker node settings
Etcdkube-bench etcdCheck etcd data store security
# Run checks on the master node
kube-bench master

# Run checks on worker nodes
kube-bench node
The image shows a terminal window with instructions for editing Kubernetes configuration files, including encryption and pod specifications. It also displays a summary of checks with pass, fail, and warning statuses.

JSON Output and Filtering

For CI automation, output results in JSON and use jq to filter: 
kube-bench node --check 4.2.1 --json | jq

{
  "id": "4",
  "version": "1.5",
  "text": "Worker Node Security Configuration",
  "node_type": "node",
  "tests": [
    {
      "section": "4.2",
      "pass": 1,
      "fail": 0,
      "info": 0,
      "desc": "Kubelet",
      "results": [
        {
          "test_number": "4.2.1",
          "test_desc": "Ensure that the --anonymous-auth argument is set to false (Scored)",
          "status": "PASS",
          "remediation": "If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to false..."
        }
      ]
    }
  ]
}
To extract failure count: 
total_fail=$(kube-bench node --check 4.2.1 --json | jq '.[].total_fail')
echo "Total fails: $total_fail"
The image shows a terminal window with a list of security checks for a Kubernetes environment, indicating pass, warn, and fail statuses for each check. The interface appears to be part of a remote monitoring tool.
Ensure jq is installed (sudo apt install jq) to parse JSON output.

Jenkins Integration

Integrate kube-bench into a Jenkins pipeline to enforce CIS compliance: 
stage('K8S CIS Benchmark') {
  steps {
    script {
      parallel(
        'Master': {
          sh 'bash cis-master.sh'
        },
        'Etcd': {
          sh 'bash cis-etcd.sh'
        },
        'Kubelet': {
          sh 'bash cis-kubelet.sh'
        }
      )
    }
  }
}
Each script runs targeted checks, parses JSON, and exits with code 1 on failures. Example cis-kubelet.sh: 
#!/bin/bash

# Run specific Kubelet tests
total_fail=$(kube-bench node \
  --version 1.15 \
  --check 4.2.1,4.2.2 \
  --json | jq -r '.[].total_fail')

if [[ "$total_fail" -ne 0 ]]; then
  echo "CIS Benchmark Failed: Kubelet checks 4.2.1,4.2.2"
  exit 1
else
  echo "CIS Benchmark Passed: Kubelet checks 4.2.1,4.2.2"
fi
Repeat similar scripts for cis-master.sh (e.g., checks 1.1.12, 1.2.1) and cis-etcd.sh (e.g., check 2.2).
Failing any CIS test will mark the Jenkins stage as failed. Adjust thresholds as needed.

Conclusion

By combining kube-bench with JSON output and jq filters, you can automate CIS Kubernetes Benchmark checks in your CI/CD pipeline. These scans help ensure your cluster adheres to security best practices before production deployment.

References

Watch Video

Practice Lab