kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Quick start
There are multiple ways to run kube-bench.You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
The supplied job.yaml file can be applied to run the tests as a job. For example:
$ kubectl apply -f job.yaml
job.batch/kube-bench created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 ContainerCreating 0 3s
# Wait for a few seconds for the job to complete
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 0/1 Completed 0 11s
# The results are held in the pod's logs
kubectl logs kube-bench-j76s9
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 API Server
...
For more information and different ways to run kube-bench see documentation
Please Note
kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.
There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.
By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
- see the following documentation on Running kube-bench for more details.
Contributing
Kindly read Contributing before contributing.We welcome PRs and issue reports.
Roadmap
Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases.
-
CIS基准 Internet 安全中心是一个非盈利性实体,其任务是“确定、开发、验证、升级和维持针对网 络防御的最佳做法解决方案”。 它借鉴了来自世界各地政府、企业和学术界网络安全及 IT 专业人员的专业知识。 为了制定标准和最佳做法(包括 CIS 基准、控制措施和强化映像), 他们遵循一致的决策制定模型。 官网 https://www.cisecurity.org/benchmark/kuber
-
kube-proxy还是由我们统一颁发一个证书。 1. 创建配置文件 cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF KUBE_PROXY_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --config=/opt/kubernetes/cfg/kube
-
说明 这篇文章是 Kubernetes权威指南:从Docker到Kubernetes实践全接触(第2版) 一书的学习笔记。 Kubernetes权威指南:从Docker到Kubernetes实践全接触(第2版),这本书已经出到第四版了。 背景 通宵看完。总共两本书。 1.专门kubernate 2.浙江大学,兼讲容器和容器云kubernate 因为kubernate太火了,连极客时间都在谈论。 是
-
配置文件 Scheduler就是负责安排Pod到具体的Node [root@k8s-master30-172-23-210-30 ~]# cat /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Plugin Documentation=https://github.com
-
概述 readinessProbe主要探测服务是否就绪,如果你的应用的readinessProbe运行失败,那么就会从组成service的端点中删除,这样就不会有流量通过Kubernetes服务发现机制来发送给它 livenessProbe探测服务是否可,不可用时重启pod 参数 initialDelaySeconds:容器启动后,第一次执行探测需要等待多少秒 periodSeconds:执行探测
-
https://docs.kubeoperator.io/KubeOperator-v2.5/introduction/
-
将应用docker化,配合ETCD、kubernetes等工具在容器的层面上实现高可用和负载均衡 容器化部署 容器化部署应用具有灵活、高效的使用资源,容器可以包含其所需的全部文件,如同在虚拟机上部署应用程序一样,可以拥有自己的配置文件和依赖库,还可以拥有自己的网络接口。 因此,与在虚拟机上运行应用程序一样,容器化应用比直接安装的应用程序更容易迁移,而且因为应用程序所运行的每个容器均拥有独立
-
[root@k8s-node31-172-23-210-31 ~]# cat /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docke
-
flannel作为k8s的集群中常用的网络组件,其yml文件的获取,建议去github中获取。具体的获取方式如下: --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: psp.flannel.unprivileged annotations: seccomp.security.alpha.ku
-
Kubernetes https://kubernetes.io/zh/docs/setup/learning-environment/minikube/ 使用 Minikube 安装 Kubernetes https://kubernetes.io/docs/tasks/tools/install-minikube/ 步骤 安装virtualBox brew search virtualBo
-
kube版本号问题 事件起因:我在使用docker安装k8s时,打算使用yum安装kubelet,但是因为版本号的缘故初始化不成功 解决方法: 首先,使用 yum search --showduplicates kubectl 发现最新的版本号,这里选取到1.13.1版本,将版本号复制下来 使用downgrade进行降级 yum downgrade kubelet-1.13.1-0.x86_64
-
视频: https://www.bilibili.com/video/BV19K411T7Ty?p=17 基本概念: https://www.jianshu.com/p/6c3f48110240 ----学习: https://blog.csdn.net/clmaykr95629/article/details/100413807 https://blog.csdn.ne
-
Kube 足够的简单,足够小,具有很强的自适应能力,是个响应式的 CSS 框架。它拥有最新最炫的网格和漂亮的字体排版,没有任何样式绑定,给用户以绝对的自由。 支持的浏览器包括: Latest Chrome Latest Firefox Latest Safari Latest Opera IE 8+ 手机浏览器
-
Kube-OVN 将基于 OVN/OVS 的网络虚拟化方案带入 Kubernetes,提供了针对企业应用场景的高级容器网络编排功能。 主要功能: 基于Namespace的子网划分,以及网络控制 容器固定 IP IPv6支持 细粒度网络策略 动态 QoS 分布式和集中式网关 内嵌负载均衡器 支持集群内外网络直通 控制平面的灾备及高可用 丰富的监控和链路追踪工具 未来计划: 基于 XDP/DPDK/O
-
kube-eventer 是一个事件发射器,它将 Kubernetes 事件发送到接收器(例如,DingTalk、SLS、Kafka 等)。 监控是保障系统稳定性的重要组成部分,在 Kubernetes 开源生态中,资源类的监控工具与组件百花齐放,但是,只有资源类的监控是远远不够的,因为资源监控存在如下两个主要的缺欠: 监控的实时性与准确性不足 监控的场景覆盖范围不足 Kubernetes 的核心
-
kube-backup Quick 'n dirty kubernetes state backup script, designed to be ran as kubernetes Job. Think of it like RANCID for kubernetes. Props to @gianrubio for coming up with the idea. Setup Use the
-
kube-ps1: Kubernetes prompt for bash and zsh A script that lets you add the current Kubernetes context and namespaceconfigured on kubectl to your Bash/Zsh prompt strings (i.e. the $PS1). Inspired by s
-
�� Provision a Kubernetes / CoreOS Cluster on Linode Automatically provision a scalable CoreOS/Kubernetes cluster on Linode with zero configuration. The cluster will comprise of a single Kubernetes ma