Skip to main content
HashnodeNotes Renovation

Command Palette

Search for a command to run...

CKS Notes - Kube-bench

Published
3 min read
C
Cheedge Lee

Some blogs are from my previous blogs, even though I have renovated and checked before migration, but there may be still some parts out of date. (https://blog.sina.com.cn/u/1784323047 or https://blog.csdn.net/li_6698230?type=blog, if they're still accessible.)

Part of seriesCKS Notes

With the experience shared by people on the internet, I summarized some key aspects as a series of articles for preparing the CKS exam. Each aspects should be in short concise points, so this is not a detailed tutorial, just some practical reminders.

Notice: some concepts are based on my understanding, it may be not accurate or even correct, therefore this is just a handbook when I was preparing the CKS exam.

kube-bench is a tool to check if the k8s cluster fulfilled the CIS security benchmark.

Concepts

Basic Command:

ssh NODE
kube-bench run --targets TARGETS --check VERSION

params:

1. check --targets:

  1. master

  2. node

  3. controlplane

  4. etcd

  5. policies

2. check CIS version --check

Checking items

1. on master

kube-bench run --targets master

  1. Apiserver (/etc/kubernetes/manifests/kube-apiserver.yaml)

  2. ControllerManager (/etc/kubernetes/manifests/kube-controller-manager.yaml)

  3. PKI directory (/etc/kubernetes/pki/)

  4. Schedualer (/etc/kubernetes/manifests/kube-scheduler.yaml)

2. on node

ssh NODE
kube-bench run --targets node

kubelet is considering as node-level component

it mainly checks kubelet related configs:

  1. /var/lib/kubelet/config.yaml

  2. /etc/kubernetes/kubelet.conf

  3. /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

  4. kubelet certificate location

  5. anonymous auth

  6. webhook authz

  7. protecting /var/lib/kubelet/

  8. TLS bootstrapping config

  9. client CA

  10. permissions (644/600)

Notice: need manually restart kubelet

3. etcd check

we only focus on kubeadm cluster ( for cloud, they will not expose etcd, and for external managed etcd cluster, ssh to the node)

kubeadm will assign the etcd to the controlplane node.

ssh CONTROLPLANE_NODE
kube-bench run --targets etcd

/etc/kubernetes/manifests/etcd.yaml

  1. Authentication enabled

    1. --client-cert-auth=true

    2. --peer-client-cert-auth=true

  2. Encryption enabled

    1. --cert-file

    2. --key-file

    3. --peer-cert-file

    4. --peer-key-file

  3. Proper paths

    1. /etc/kubernetes/pki/etcd/

notice: for kubeadm cluster, kubeadm will update the /mainfests and then kubelet will auto restart etcd, there is no need to manually restart it.

Notice:

here we should notice command: kube-bench run --targets node , for kube-bench run --targets master or other targets:

  • master : API server, controller, etc —kubelet watches the manifest files

  • etcd : etcd services — kubelet watches the manifest files

  • policy: kubectl

the kube-apiserver, kube-controller-manager, kube-scheduler, etcd under kubeadm cluster will managed by kubeadm/kubelet , the config file are under /etc/kubernetes/manifests/*

And the policy is control by kubectl, so these we can just follow the recommendations which kube-bench shows.

ComponentHow it runsConfig change effectRestart needed?
kube-apiserverStatic podKubelet watches manifestNo (auto restart)
kube-controller-managerStatic podSameNo
kube-schedulerStatic podSameNo
etcd (kubeadm)Static podSameNo
policiesYAML API objectsApply with kubectlNo restart
kubeletsystemd serviceReads config only at startupYes — manual restart

while for kubelet related configs we need to find the kubelet config file first, and then find the environment file location for fixing.

# find kubelet config file
systemctl status kubelet
# find the env para settings file location
# eg. the kubelet config is: /var/lib/kubelet/config.yaml, then inside it:
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# change the params in the corresponding file.

Do not directly fix the params in the Environment: .

Summary

Benchmark sectionContains checks forkube-bench target
Master Node (1.x)API server, controller-manager, PKI, scheduler, etc.master or controlplane
Node (4.x)Kubelet, kubelet config, certificates, permissionsnode
etcd (3.x)etcd service, certs, ports, flagsetcd
Policies (5.x)PodSecurityPolicies (old), security policiespolicies
#cks#kubernetes#kube-bench#kubelet#etcd

Comments

Join the discussion

No comments yet. Be the first to comment.

CKS Notes

Part 1 of 9
Up next

CKS Notes - Apiserver request security

1. Identity = kubeconfig Here the identity equals kubeconfig file Every kubeconfig file specifies: the certificate the client key the username (CN) the group (O) the cluster endpoint This determines: Who you are (identity) What you can do (R...

More from this blog

Notes Renovation

52 posts