kubernetes-security-benchmark

command module
v0.0.0-...-70745a7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 31, 2020 License: Apache-2.0 Imports: 1 Imported by: 0

README

Kubernetes Security Benchmark

This project aims to provide a simple way to evaluate the security of your Kubernetes deployment against sets of best practices defined by various community sources.

$ kubernetes-security-benchmark --help
Run security benchmarks against your Kubernetes clusters.

Usage:
  kubernetes-security-benchmark [command]

Available Commands:
  cis         Run Kubernetes CIS Benchmark tests
  help        Help about any command
  version     Print the version number of Kubernetes Security Benchmark

Flags:
  -h, --help   help for kubernetes-security-benchmark

Use "kubernetes-security-benchmark [command] --help" for more information about a command.

DC/OS Quickstart

If you're running this against a Kubernetes cluster deployed on DC/OS, this repository provides a simple way to run the benchmark and create an aggregated report. You must first deploy a Kubernetes cluster on DC/OS, clone this repository, and run:

$ make test.dcos

This will run all benchmarks against the deployed Kubernetes cluster and produce an HTML report which will automatically open in your browser.

If you have more than 1 Kubernetes cluster deployed and you want to target a specific Kubernetes cluster you can use the KUBERNETES_CLUSTER variable.

$ make test.dcos KUBERNETES_CLUSTER=<your_kubernetes_cluster_name>

CIS Kubernetes Benchmark

The Center for Internet Security (CIS) publishes a benchmark for Kubernetes. Tests are specified against the various components of a Kubernetes deployment and as such need to be run on the machine (container, VM, or bare-metal) that the component is running on. This project enables a very flexible way to run these tests to match your deployment.

$ kubernetes-security-benchmark cis --help
Run Kubernetes CIS Benchmark tests.

Usage:
  kubernetes-security-benchmark cis [flags]
  kubernetes-security-benchmark cis [command]

Available Commands:
  control-plane Run the control plane specific benchmarks
  federation    Run the federation specific benchmarks
  node          Run the node specific benchmarks
  version       Prints the version of the Kubernetes CIS Benchmark

Flags:
  -h, --help                           help for cis
      --spec.dryRun                    If set, ginkgo will walk the test hierarchy without actually running anything.  Best paired with -v.
      --spec.failFast                  If set, ginkgo will stop running a test suite after a failure occurs.
      --spec.failOnMissingProcess      Whether the tests should fail if the relevant process is not running
      --spec.failOnPending             If set, ginkgo will mark the test suite as failed if any specs are pending.
      --spec.flakeAttempts int         Make up to this many attempts to run each spec. Please note that if any of the attempts succeed, the suite will not be failed. But any failures will still be recorded. (default 1)
      --spec.focus string              If set, ginkgo will only run specs that match this regular expression.
      --spec.noColor                   If set, suppress color output in default reporter. (default true)
      --spec.noisyPendings             If set, default reporter will shout about pending tests.
      --spec.noisySkippings            If set, default reporter will shout about skipping tests.
      --spec.progress                  If set, ginkgo will emit progress information as each spec runs to the GinkgoWriter.
      --spec.randomizeAllSpecs         If set, ginkgo will randomize all specs together.  By default, ginkgo only randomizes the top level Describe, Context and When groups.
      --spec.regexScansFilePath        If set, ginkgo regex matching also will look at the file path (code location).
      --spec.seed int                  The seed used to randomize the spec suite. (default 1522082832)
      --spec.skip string               If set, ginkgo will only run specs that do not match this regular expression.
      --spec.skipMeasurements          If set, ginkgo will skip any measurement specs.
      --spec.slowSpecThreshold float   (in seconds) Specs that take longer to run than this threshold are flagged as slow by the default reporter. (default 5)
      --spec.succinct                  If set, default reporter prints out a very succinct report (default true)
      --spec.trace                     If set, default reporter prints out the full stack trace when a failure occurs
      --spec.v                         If set, default reporter print out all specs as they begin.

Use "kubernetes-security-benchmark cis [command] --help" for more information about a command.
Running all tests

In order to run all tests, run:

$ kubernetes-security-benchmark cis

This will run all tests against the machine the binary is run on. This is a very unusual setup because Kubernetes is normally deployed in a distributed fashion, but can be useful for all-in-one deployments such as Minikube.

Running specific tests

Specific tests can be run via the --spec.focus flag. For example, to only run 1.1.1 Ensure that the --anonymous-auth argument is set to false, you can run:

$ kubernetes-security-benchmark cis --spec.focus='\[1\.1\.1\]'

Note: that the --spec.focus flag value is a regular expression that matches against the spec description, hence the need to escape the square brackets and dot.

Running tests targeting a specific component

As a convenience, subcommands are provided to run targeted test suites against specific components, e.g.:

$ kubernetes-security-benchmark cis control-plane api-server

This is easier to remember than the equivalent command:

$ kubernetes-security-benchmark cis --spec.focus='\[1\.1\]'
Subcommands

Here is a full list of the subcommands available:

  • kubernetes-security-benchmark cis
    • kubernetes-security-benchmark cis control-plane
      • kubernetes-security-benchmark cis control-plane api-server
      • kubernetes-security-benchmark cis control-plane configuration-files
      • kubernetes-security-benchmark cis control-plane controller-manager
      • kubernetes-security-benchmark cis control-plane etcd
      • kubernetes-security-benchmark cis control-plane general-security-primitives
      • kubernetes-security-benchmark cis control-plane scheduler
      • kubernetes-security-benchmark cis control-plane podsecuritypolicies
    • kubernetes-security-benchmark cis node
      • kubernetes-security-benchmark cis node configuration-files
      • kubernetes-security-benchmark cis node kubelet

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
cmd
pkg
cis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL