The Center for Internet Security (CIS) publishes the CIS Kubernetes Benchmark as a set of security recommendations for configuring Kubernetes in a secure manner. This topic describes how to use the security-inspector component to audit the CIS benchmark by using a command-line interface (CLI).
Prerequisites
- A Container Service for Kubernetes (ACK) cluster is created. For more information, see Create an ACK managed cluster.
- The security-inspector component is installed in the cluster. For more information, see Manage components.
Overview of CIS Benchmarks
The Center for Internet Security develops CIS benchmarks, which are sets of best practices for the secure configuration of common systems. CIS Benchmarks are developed through a consensus-based process comprised of cybersecurity professionals and experts, and are widely accepted by public service sectors, businesses, industries, and academia.
The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and intended to be as universally applicable across distributions as possible. The Benchmark versions are tied to specific Kubernetes versions. For more information, see CIS Kubernetes Benchmark.
CIS also releases CIS Kubernetes benchmarks that are specifically designed for Kubernetes distributions of different cloud service providers. For example, the CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark.
Use security-inspector to audit the CIS Kubernetes Benchmark
ACK allows you to use security-inspector to scan an ACK cluster based on the CIS Kubernetes Benchmark and obtain the scan report in CSV format. To do this, perform the following steps:
- Create a scan task.
To audit the CIS Kubernetes Benchmark, the component selects an appropriate benchmark version based on the Kubernetes version of the cluster.
kubectl apply -f - <<EOF apiVersion: securityinspector.alibabacloud.com/v1alpha1 kind: BenchmarkTask metadata: name: cis-kubernetes-benchmark spec: benchmarkVersion: 'cis-kubernetes-auto' --- apiVersion: securityinspector.alibabacloud.com/v1alpha1 kind: BenchmarkJob metadata: name: cis-kubernetes-benchmark spec: taskName: cis-kubernetes-benchmark EOF
You can set the benchmarkVersion parameter to one of the following values. Select the appropriate value based on your requirements. We recommend that you select cis-kubernetes-auto.benchmarkVersion Description Applicable cluster cis-kubernetes-auto The component scans the cluster based on an appropriate CIS Kubernetes Benchmark that is automatically selected based on the Kubernetes version of the cluster. Clusters of Kubernetes 1.15 and later cis-kubernetes-ack-1.0 The component scans the cluster based on CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark v1.0.0. Dedicated and managed ACK clusters of Kubernetes 1.18 and later cis-kubernetes-1.20 The component scans the cluster based on CIS Kubernetes V1.20 Benchmark v1.0.0. Clusters of Kubernetes 1.20 and later cis-kubernetes-1.6 The component scans the cluster based on CIS Kubernetes Benchmark v1.6.0. Clusters of Kubernetes 1.16 to 1.19 cis-kubernetes-1.5 The component scans the cluster based on CIS Kubernetes Benchmark v1.5.1. Clusters of Kubernetes 1.15 - Wait for 5 minutes. Then, run the following command to check whether the scan task is completed.
kubectl get benchmarkjobs.securityinspector.alibabacloud.com cis-kubernetes-benchmark -o 'jsonpath={.status.phase}'; echo
If the output showsSucceeded
, it indicates that the scan task is completed. - After the scan task is completed, run the following commands to obtain the scan report in CSV format:
for name in $(kubectl get benchmarkcsvresults.securityinspector.alibabacloud.com -l securityinspector.task.name=cis-kubernetes-benchmark -o name) do filename="cis-$(echo $name | awk -F '/' '{print $2}')"; \ kubectl get $name -o jsonpath='{.result.data}' > "$filename".csv; \ echo "saved $filename.csv" done
When you read the scan report, you can determine whether remediation measures are required based on your business scenarios. For more information about the scan report, see below.
Report interpretation
Column | Description | Whether measures are required |
Date | The time of the scan. | No |
Result Schema | The CIS benchmark based on which the scan is performed. Valid values:
For more information about the benchmarks, see CIS Kubernetes Benchmarks. | No |
Node Name | The cluster node for which the report is generated. | No |
Total Fail | The number of scored items that do not comply with benchmark recommendations. | For more information, see the description of Result. |
Total Warn | The number of items that are not scored but require your attention. | For more information, see the description of Result. |
Total Pass | The number of items that comply with benchmark recommendations. | No |
Section Id | The section ID defined in the CIS benchmark. | No |
Section Description | The section description defined in the CIS benchmark. | No |
Test Id | The test ID defined in the CIS benchmark. | No |
Test Description | The test description defined in the CIS benchmark. | No |
Scored | Whether the item is scored. Valid values:
| No |
Test Remediation | The recommended remediation measure if the item does not comply with the benchmark recommendation. For more information, see CIS Kubernetes Benchmarks. | For more information, see the description of Result. |
Result | The check result. Valid values:
| You can take the following measures based on the check result:
|