All Products
Search
Document Center

Container Service for Kubernetes:Use security inspection in a registered cluster

Last Updated:Sep 27, 2023

The Center for Internet Security (CIS) publishes the CIS Kubernetes Benchmark as a set of security recommendations for configuring Kubernetes in a secure manner. This topic describes how to use the security-inspector component to audit the CIS benchmark by using a command-line interface (CLI).

Prerequisites

A registered cluster is created and an external Kubernetes cluster is connected to the registered cluster. For more information, see Create a registered cluster in the ACK console and Use onectl to create a registered cluster.

Overview of CIS Benchmarks

The Center for Internet Security develops CIS benchmarks, which are sets of best practices for the secure configuration of common systems. CIS Benchmarks are developed through a consensus-based process comprised of cybersecurity professionals and experts, and are widely accepted by public service sectors, businesses, industries, and academia.

The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and intended to be as universally applicable across distributions as possible. The Benchmark versions are tied to specific Kubernetes versions. For more information, see CIS Kubernetes Benchmark.

CIS also releases CIS Kubernetes benchmarks that are specifically designed for Kubernetes distributions of different cloud service providers. For example, the CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark.

Install the security-inspector component

Use onectl

  1. Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

  2. Run the following command to install the security-inspector component:

    onectl addon install security-inspector

    Expected output

    Addon security-inspector, version **** installed.

Use the console

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Add-ons in the left-side navigation pane.

  3. On the Add-ons page, click the Security tab, find the security-inspector component, and click Install in the lower-right corner.

  4. In the message that appears, click OK.

Use security-inspector to audit the CIS Kubernetes Benchmark

ACK allows you to use security-inspector to scan an ACK cluster based on the CIS Kubernetes Benchmark and obtain the scan report in CSV format. To do this, perform the following steps:

  1. Create a scan task.

    To audit the CIS Kubernetes Benchmark, the component selects an appropriate benchmark version based on the Kubernetes version of the cluster.

    kubectl apply -f - <<EOF
    apiVersion: securityinspector.alibabacloud.com/v1alpha1
    kind: BenchmarkTask
    metadata:
      name: cis-kubernetes-benchmark
    spec:
      benchmarkVersion: 'cis-kubernetes-auto'
    ---
    apiVersion: securityinspector.alibabacloud.com/v1alpha1
    kind: BenchmarkJob
    metadata:
      name: cis-kubernetes-benchmark
    spec:
      taskName: cis-kubernetes-benchmark
    EOF
    You can set the benchmarkVersion parameter to one of the following values. Select the appropriate value based on your requirements. We recommend that you select cis-kubernetes-auto.
    benchmarkVersionDescriptionApplicable cluster
    cis-kubernetes-autoThe component scans the cluster based on an appropriate CIS Kubernetes Benchmark that is automatically selected based on the Kubernetes version of the cluster. Clusters of Kubernetes 1.15 and later
    cis-kubernetes-ack-1.0The component scans the cluster based on CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark v1.0.0. Dedicated and managed ACK clusters of Kubernetes 1.18 and later
    cis-kubernetes-1.20The component scans the cluster based on CIS Kubernetes V1.20 Benchmark v1.0.0. Clusters of Kubernetes 1.20 and later
    cis-kubernetes-1.6The component scans the cluster based on CIS Kubernetes Benchmark v1.6.0. Clusters of Kubernetes 1.16 to 1.19
    cis-kubernetes-1.5The component scans the cluster based on CIS Kubernetes Benchmark v1.5.1. Clusters of Kubernetes 1.15
  2. Wait for 5 minutes. Then, run the following command to check whether the scan task is completed.
    kubectl get benchmarkjobs.securityinspector.alibabacloud.com cis-kubernetes-benchmark -o 'jsonpath={.status.phase}'; echo
    If the output shows Succeeded, it indicates that the scan task is completed.
  3. After the scan task is completed, run the following commands to obtain the scan report in CSV format:
    for name in $(kubectl get benchmarkcsvresults.securityinspector.alibabacloud.com -l securityinspector.task.name=cis-kubernetes-benchmark -o name)
    do
      filename="cis-$(echo $name | awk -F '/' '{print $2}')"; \
      kubectl get $name -o jsonpath='{.result.data}' > "$filename".csv; \
      echo "saved $filename.csv"
    done
    When you read the scan report, you can determine whether remediation measures are required based on your business scenarios. For more information about the scan report, see below.

Report interpretation

The following table describes the columns in the scan report.
ColumnDescriptionWhether measures are required
DateThe time of the scan.No
Result SchemaThe CIS benchmark based on which the scan is performed. Valid values:
  • cis-kubernetes-ack-1.0: CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark v1.0.0
  • cis-kubernetes-1.20: CIS Kubernetes V1.20 Benchmark v1.0.0
  • cis-kubernetes-1.6: CIS Kubernetes Benchmark v1.6.0
  • cis-kubernetes-1.5: CIS Kubernetes Benchmark v1.5.1

For more information about the benchmarks, see CIS Kubernetes Benchmarks.

No
Node NameThe cluster node for which the report is generated. No
Total FailThe number of scored items that do not comply with benchmark recommendations. For more information, see the description of Result.
Total WarnThe number of items that are not scored but require your attention. For more information, see the description of Result.
Total PassThe number of items that comply with benchmark recommendations. No
Section IdThe section ID defined in the CIS benchmark. No
Section DescriptionThe section description defined in the CIS benchmark. No
Test IdThe test ID defined in the CIS benchmark. No
Test DescriptionThe test description defined in the CIS benchmark. No
ScoredWhether the item is scored. Valid values:
  • Scored: Failure to comply with the recommendations decreases the final benchmark score.
  • Not scored: Failure to comply with the recommendations does not decrease the final benchmark score.
No
Test RemediationThe recommended remediation measure if the item does not comply with the benchmark recommendation.

For more information, see CIS Kubernetes Benchmarks.

For more information, see the description of Result.
ResultThe check result. Valid values:
  • fail: The scored item does not comply with the benchmark recommendation.
  • warn: The item is not scored but requires your attention.
  • pass: The item complies with the benchmark recommendation.
You can take the following measures based on the check result:
  • fail: We recommend that you take the remediation measures displayed in the Test Remediation column. You can also determine whether to adjust or fix the configurations based on actual business scenarios.
  • warn: You need to pay attention to the item and adjust the configuration based on actual business scenarios.
  • pass: No measure is required.

Report interpretation

The following table describes the columns in the scan report.
ColumnDescriptionWhether measures are required
DateThe time of the scan.No
Result SchemaThe CIS benchmark based on which the scan is performed. Valid values:
  • cis-kubernetes-ack-1.0: CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark v1.0.0
  • cis-kubernetes-1.20: CIS Kubernetes V1.20 Benchmark v1.0.0
  • cis-kubernetes-1.6: CIS Kubernetes Benchmark v1.6.0
  • cis-kubernetes-1.5: CIS Kubernetes Benchmark v1.5.1

For more information about the benchmarks, see CIS Kubernetes Benchmarks.

No
Node NameThe cluster node for which the report is generated. No
Total FailThe number of scored items that do not comply with benchmark recommendations. For more information, see the description of Result.
Total WarnThe number of items that are not scored but require your attention. For more information, see the description of Result.
Total PassThe number of items that comply with benchmark recommendations. No
Section IdThe section ID defined in the CIS benchmark. No
Section DescriptionThe section description defined in the CIS benchmark. No
Test IdThe test ID defined in the CIS benchmark. No
Test DescriptionThe test description defined in the CIS benchmark. No
ScoredWhether the item is scored. Valid values:
  • Scored: Failure to comply with the recommendations decreases the final benchmark score.
  • Not scored: Failure to comply with the recommendations does not decrease the final benchmark score.
No
Test RemediationThe recommended remediation measure if the item does not comply with the benchmark recommendation.

For more information, see CIS Kubernetes Benchmarks.

For more information, see the description of Result.
ResultThe check result. Valid values:
  • fail: The scored item does not comply with the benchmark recommendation.
  • warn: The item is not scored but requires your attention.
  • pass: The item complies with the benchmark recommendation.
You can take the following measures based on the check result:
  • fail: We recommend that you take the remediation measures displayed in the Test Remediation column. You can also determine whether to adjust or fix the configurations based on actual business scenarios.
  • warn: You need to pay attention to the item and adjust the configuration based on actual business scenarios.
  • pass: No measure is required.