The Center for Internet Security (CIS) publishes the CIS Kubernetes Benchmark as a set of security recommendations for configuring Kubernetes in a secure manner. This topic describes how to use the security-inspector component to audit the CIS benchmark by using a command-line interface (CLI).

Prerequisites

Overview of CIS Benchmarks

The Center for Internet Security develops CIS benchmarks, which are sets of best practices for the secure configuration of common systems. CIS Benchmarks are developed through a consensus-based process comprised of cybersecurity professionals and experts, and are widely accepted by public service sectors, businesses, industries, and academia.

The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and intended to be as universally applicable across distributions as possible. The Benchmark versions are tied to specific Kubernetes versions. For more information, see CIS Kubernetes Benchmark.

CIS also releases CIS Kubernetes benchmarks that are specifically designed for Kubernetes distributions of different cloud service providers. For example, the CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark.

Use security-inspector to audit the CIS Kubernetes Benchmark

ACK allows you to use security-inspector to scan an ACK cluster based on the CIS Kubernetes Benchmark and obtain the scan report in CSV format. To do this, perform the following steps:

  1. Create a scan task.

    To audit the CIS Kubernetes Benchmark, the component selects an appropriate benchmark version based on the Kubernetes version of the cluster.

    kubectl apply -f - <<EOF
    apiVersion: securityinspector.alibabacloud.com/v1alpha1
    kind: BenchmarkTask
    metadata:
      name: cis-kubernetes-benchmark
    spec:
      benchmarkVersion: 'cis-kubernetes-auto'
    ---
    apiVersion: securityinspector.alibabacloud.com/v1alpha1
    kind: BenchmarkJob
    metadata:
      name: cis-kubernetes-benchmark
    spec:
      taskName: cis-kubernetes-benchmark
    EOF
    You can set the benchmarkVersion parameter to one of the following values. Select the appropriate value based on your requirements. We recommend that you select cis-kubernetes-auto.
    benchmarkVersion Description Applicable cluster
    cis-kubernetes-auto The component scans the cluster based on an appropriate CIS Kubernetes Benchmark that is automatically selected based on the Kubernetes version of the cluster. Clusters of Kubernetes 1.15 and later
    cis-kubernetes-ack-1.0 The component scans the cluster based on CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark v1.0.0. Dedicated and managed ACK clusters of Kubernetes 1.18 and later
    cis-kubernetes-1.20 The component scans the cluster based on CIS Kubernetes V1.20 Benchmark v1.0.0. Clusters of Kubernetes 1.20 and later
    cis-kubernetes-1.6 The component scans the cluster based on CIS Kubernetes Benchmark v1.6.0. Clusters of Kubernetes 1.16 to 1.19
    cis-kubernetes-1.5 The component scans the cluster based on CIS Kubernetes Benchmark v1.5.1. Clusters of Kubernetes 1.15
  2. Wait for 5 minutes. Then, run the following command to check whether the scan task is completed.
    kubectl get benchmarkjobs.securityinspector.alibabacloud.com cis-kubernetes-benchmark -o 'jsonpath={.status.phase}'; echo
    If the output shows Succeeded, it indicates that the scan task is completed.
  3. After the scan task is completed, run the following commands to obtain the scan report in CSV format:
    for name in $(kubectl get benchmarkcsvresults.securityinspector.alibabacloud.com -l securityinspector.task.name=cis-kubernetes-benchmark -o name)
    do
      filename="cis-$(echo $name | awk -F '/' '{print $2}')"; \
      kubectl get $name -o jsonpath='{.result.data}' > "$filename".csv; \
      echo "saved $filename.csv"
    done
    When you read the scan report, you can determine whether remediation measures are required based on your business scenarios. For more information about the scan report, see below.

Report interpretation

The following table describes the columns in the scan report.
Column Description Whether measures are required
Date The time of the scan. No
Result Schema The CIS benchmark based on which the scan is performed. Valid values:
  • cis-kubernetes-ack-1.0: CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark v1.0.0
  • cis-kubernetes-1.20: CIS Kubernetes V1.20 Benchmark v1.0.0
  • cis-kubernetes-1.6: CIS Kubernetes Benchmark v1.6.0
  • cis-kubernetes-1.5: CIS Kubernetes Benchmark v1.5.1

For more information about the benchmarks, see CIS Kubernetes Benchmarks.

No
Node Name The cluster node for which the report is generated. No
Total Fail The number of scored items that do not comply with benchmark recommendations. For more information, see the description of Result.
Total Warn The number of items that are not scored but require your attention. For more information, see the description of Result.
Total Pass The number of items that comply with benchmark recommendations. No
Section Id The section ID defined in the CIS benchmark. No
Section Description The section description defined in the CIS benchmark. No
Test Id The test ID defined in the CIS benchmark. No
Test Description The test description defined in the CIS benchmark. No
Scored Whether the item is scored. Valid values:
  • Scored: Failure to comply with the recommendations decreases the final benchmark score.
  • Not scored: Failure to comply with the recommendations does not decrease the final benchmark score.
No
Test Remediation The recommended remediation measure if the item does not comply with the benchmark recommendation.

For more information, see CIS Kubernetes Benchmarks.

For more information, see the description of Result.
Result The check result. Valid values:
  • fail: The scored item does not comply with the benchmark recommendation.
  • warn: The item is not scored but requires your attention.
  • pass: The item complies with the benchmark recommendation.
You can take the following measures based on the check result:
  • fail: We recommend that you take the remediation measures displayed in the Test Remediation column. You can also determine whether to adjust or fix the configurations based on actual business scenarios.
  • warn: You need to pay attention to the item and adjust the configuration based on actual business scenarios.
  • pass: No measure is required.