Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/aquasecurity/kube-bench
Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
https://github.com/aquasecurity/kube-bench
cis-benchmark cis-kubernetes-benchmark cis-security hacktoberfest kube-bench kubernetes kubernetes-security openshift
Last synced: 3 days ago
JSON representation
Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
- Host: GitHub
- URL: https://github.com/aquasecurity/kube-bench
- Owner: aquasecurity
- License: apache-2.0
- Created: 2017-06-19T13:27:02.000Z (over 7 years ago)
- Default Branch: main
- Last Pushed: 2024-10-25T04:28:39.000Z (about 2 months ago)
- Last Synced: 2024-10-25T07:54:32.465Z (about 2 months ago)
- Topics: cis-benchmark, cis-kubernetes-benchmark, cis-security, hacktoberfest, kube-bench, kubernetes, kubernetes-security, openshift
- Language: Go
- Homepage:
- Size: 9.6 MB
- Stars: 7,017
- Watchers: 106
- Forks: 1,220
- Open Issues: 68
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
- awesome-DevOpsSec - kube-bench - Checks whether Kubernetes is deployed according to CIS Kubernetes Benchmark (Tools / Kubernetes)
- awesome - kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark (Go)
- awesome-containerized-security - kube-bench
- DevSecOps - https://github.com/aquasecurity/kube-bench - bench?style=for-the-badge) | (Kubernetes)
- awesome-repositories - aquasecurity/kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark (Go)
- awesome-cloud-security - Kube-Bench
- awesome-software-supply-chain-security - aquasecurity/kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark - hunter: Hunt for security weaknesses in Kubernetes clusters](https://github.com/aquasecurity/kube-hunter) (Point-of-use validations / Vulnerability information exchange)
- awesome-starts - aquasecurity/kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark (Go)
- awesome-starred - aquasecurity/kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark (kubernetes)
- awesome-platform-engineering - kube-bench checks whether Kubernetes security is aording to CIS K8S Benchmark
- awesome-k8s - kube-bench
- awesome-eks - kube-bench
- awesome-kubernetes-threat-detection - kube-bench
- awesome-k8s-security - kube-bench
- awesome-k8s-resources - kube-bench - kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. (Tools and Libraries / Security and Compliance)
- awesome-kubernetes-security - kube-bench - Check whether Kubernetes is deployed according to security best practics (Open Source Projects)
- awesome-cloud-native-security - kube-bench
- awesome-cloud-security - 地址 - bench) `由「zhengjim」师傅补充,感谢支持` (0x02 工具 :hammer_and_wrench: / 2 云原生工具)
- awesome-hacking-lists - aquasecurity/kube-bench - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark (Go)
- awesome-devsecops-russia - Kubebench
- awesome-ops - aquasecurity/kube-bench - 2.0|6987|2017-06-19|2024-10-04 | 检查 Kubernetes 是否根据 CIS Kubernetes Benchmark 定义的安全最佳实践进行部署 | (K8S-Tools)
README
[![GitHub Release][release-img]][release]
[![Downloads][download]][release]
[![Docker Pulls][docker-pull]][docker]
[![Go Report Card][report-card-img]][report-card]
[![Build Status](https://github.com/aquasecurity/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/aquasecurity/kube-bench/actions)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)
[![Coverage Status][cov-img]][cov][download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github
[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github
[release]: https://github.com/aquasecurity/kube-bench/releases
[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
[docker]: https://hub.docker.com/r/aquasec/kube-bench
[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg
[cov]: https://codecov.io/github/aquasecurity/kube-bench
[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench
[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-benchkube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security")
## CIS Scanning as part of Trivy and the Trivy Operator
[Trivy](https://github.com/aquasecurity/trivy), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/aquasecurity/trivy-operator) inside a cluster.
Both, the [Trivy CLI](https://github.com/aquasecurity/trivy), and the [Trivy Operator](https://github.com/aquasecurity/trivy-operator) support CIS Kubernetes Benchmark scanning among several other features.## Quick start
There are multiple ways to run kube-bench.
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.The supplied `job.yaml` [file](job.yaml) can be applied to run the tests as a job. For example:
```bash
$ kubectl apply -f job.yaml
job.batch/kube-bench created$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 ContainerCreating 0 3s# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 Completed 0 11s# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...
```
For more information and different ways to run kube-bench see [documentation](docs/running.md)
### Please Note1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org).
1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](docs/platforms.md#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark.
By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
- see the following documentation on [Running kube-bench](docs/running.md#running-kube-bench) for more details.## Contributing
Kindly read [Contributing](CONTRIBUTING.md) before contributing.
We welcome PRs and issue reports.## Roadmap
Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.