The Center for Internet Security (CIS) publishes the CIS Kubernetes Benchmark as a set of security recommendations for configuring Kubernetes in a secure manner. This topic describes how to use the security-inspector component to audit the CIS benchmark by using a command-line interface (CLI).
Prerequisites
- A Container Service for Kubernetes (ACK) cluster is created. For more information, see Create a managed Kubernetes cluster.
- The security-inspector component is installed in the cluster. For more information, see Manage system components.
Overview of CIS Benchmarks
The Center for Internet Security develops CIS benchmarks, which are sets of best practices for the secure configuration of common systems. CIS Benchmarks are developed through a consensus-based process comprised of cybersecurity professionals and experts, and are widely accepted by public service sectors, businesses, industries, and academia.
The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and intended to be as universally applicable across distributions as possible. The Benchmark versions are tied to specific Kubernetes versions. For more information, see CIS Kubernetes Benchmark.
CIS also releases CIS Kubernetes benchmarks that are specifically designed for Kubernetes distributions of different cloud service providers. For example, the CIS Alibaba Cloud Container Service for Kubernetes (ACK) Benchmark.
Use security-inspector to audit the CIS Kubernetes Benchmark
ACK allows you to use security-inspector to scan an ACK cluster based on the CIS Kubernetes Benchmark and obtain the scan report in CSV format. To do this, perform the following steps:
Report interpretation
Column | Description | Whether measures are required |
---|---|---|
Date | The time of the scan. | No |
Result Schema | The CIS benchmark based on which the scan is performed. Valid values:
For more information about the benchmarks, see CIS Kubernetes Benchmarks. |
No |
Node Name | The cluster node for which the report is generated. | No |
Total Fail | The number of scored items that do not comply with benchmark recommendations. | For more information, see the description of Result. |
Total Warn | The number of items that are not scored but require your attention. | For more information, see the description of Result. |
Total Pass | The number of items that comply with benchmark recommendations. | No |
Section Id | The section ID defined in the CIS benchmark. | No |
Section Description | The section description defined in the CIS benchmark. | No |
Test Id | The test ID defined in the CIS benchmark. | No |
Test Description | The test description defined in the CIS benchmark. | No |
Scored | Whether the item is scored. Valid values:
|
No |
Test Remediation | The recommended remediation measure if the item does not comply with the benchmark
recommendation.
For more information, see CIS Kubernetes Benchmarks. |
For more information, see the description of Result. |
Result | The check result. Valid values:
|
You can take the following measures based on the check result:
|