CIS compliance

The Center for Internet Security (CIS) maintains a Kubernetes benchmark that is helpful to ensure clusters are deployed in accordance with security best practices. Charmed Kubernetes includes support for the kube-bench utility, which reports how well a cluster complies with this benchmark. This page details how to run these tests.

Run kube-bench

The kubernetes-master, kubernetes-worker, and etcd charms used by Charmed Kubernetes include a cis-benchmark action that will install, configure, and run the benchmark on the respective components. Run this action on the units you wish to test with the following:

juju run-action --wait etcd/0 cis-benchmark

By default, the action will display a summary of any issues found as well as the command that was executed on the unit. A report command is included to facilitate transferring the full benchmark report to a local machine for analysis.

results:
  cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
    --benchmark cis-1.5 --noremediations --noresults run --targets etcd
  report: juju scp etcd/0:/home/ubuntu/kube-bench-results/results-text-49681_7h .
  summary: |
    == Summary ==
    7 checks PASS
    0 checks FAIL
    0 checks WARN
    4 checks INFO
status: completed

Configure kube-bench

The following parameters can be adjusted to change the default action behavior. See the descriptions in the actions.yaml file for additional supported values beyond the defaults.

apply

When a failure is detected, this action can attempt to automatically fix it. This parameter is none by default, meaning the action will not attempt to apply any automatic remediations.

config

Specify an archive of custom configuration scripts to use during the benchmark. This parameter is set by default to an archive that is known to work with snap-related components.

release

Specify the kube-bench release to install and run. This parameter is set by default to a release that is known to work with snap-related components.

Example use case

Run the CIS benchmark on the kubernetes-worker charm using a custom configuration archive:

juju run-action --wait kubernetes-worker/0 cis-benchmark \
  config='https://github.com/charmed-kubernetes/kube-bench-config/archive/cis-1.5.zip'
results:
  cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
    --benchmark cis-1.5 --noremediations --noresults run --targets node
  report: juju scp kubernetes-worker/0:/home/ubuntu/kube-bench-results/results-text-nmmlsvy3 .
  summary: |
    == Summary ==
    16 checks PASS
    4 checks FAIL
    3 checks WARN
    0 checks INFO
status: completed

Attempt to apply all known fixes to the failing benchmark tests using the same configuration archive:

juju run-action --wait kubernetes-worker/0 cis-benchmark \
  apply='dangerous' \
  config='https://github.com/charmed-kubernetes/kube-bench-config/archive/cis-1.5.zip'
results:
  cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
    --benchmark cis-1.5 --noremediations --noresults run --targets node
  report: juju scp kubernetes-worker/0:/home/ubuntu/kube-bench-results/results-json-dozp8j3z .
  summary: Applied 4 remediations. Re-run with "apply=none" to generate a new report.
status: completed

Re-run the earlier action to verify previous failures have been fixed:

juju run-action --wait kubernetes-worker/0 cis-benchmark \
  config='https://github.com/charmed-kubernetes/kube-bench-config/archive/cis-1.5.zip'
results:
  cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
    --benchmark cis-1.5 --noremediations --noresults run --targets node
  report: juju scp kubernetes-worker/0:/home/ubuntu/kube-bench-results/results-text-4agbktbf .
  summary: |
    == Summary ==
    20 checks PASS
    0 checks FAIL
    3 checks WARN
    0 checks INFO
status: completed

Remove applied remediations

The cis-benchmark action does not track individual remediations that it applies. However, it does support removing all configuration that it may have set on a unit. To clear this data, set the apply parameter to reset:

juju run-action --wait kubernetes-worker/0 cis-benchmark \
  apply='reset'
results:
  summary: Reset is complete. Re-run with "apply=none" to generate a new report.
status: completed

We appreciate your feedback on the documentation. You can edit this page or file a bug here.