Running kube-bench on managed Kubernetes services

The difference between managed Kubernetes services such as EKS, GKE, AKS, and so on is that you can't run the checks on the master. Instead, you have to either only follow the worker checks from the previous recipe or run a Kubernetes job to validate your environment. In this recipe, you will learn how to run kube-bench on managed Kubernetes service-based nodes and also in cases where you don't have direct SSH access to the nodes.

Let's perform the following steps to run the CIS recommended tests:

  1. For this recipe, we will use EKS as our Kubernetes service, but you can change the Kubernetes and container registry services to other cloud providers if you wish. First, create an ECR repository where we will host the kube-bench image:
$ aws ecr create-repository --repository-name k8sdevopscookbook/kube-bench --image-tag-mutability MUTABLE
  1. Clone the kube-bench repository to your localhost:
$ git clone https://github.com/aquasecurity/kube-bench.git
  1. Log in to your Elastic Container Registry (ECR) account. You need to be authenticated before you can push images to the registry:
$ $(aws ecr get-login --no-include-email --region us-west-2)
  1. Build the kube-bench image by running the following command:
$ docker build -t k8sdevopscookbook/kube-bench
  1. Replace <AWS_ACCT_NUMBER> with your AWS account number and execute it to push it to the ECR repository. The first command will create a tag, while the second command will push the image:
$ docker tag k8sdevopscookbook/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.us-west-2.amazonaws.com/k8s/kube-bench:latest
# docker push <AWS_ACCT_NUMBER>.dkr.ecr.us-west-2.amazonaws.com/k8s/kube-bench:latest
  1. Edit the job-eks.yaml file and replace the image name on line 12 with the URI of the image you pushed in Step 5. It should look similar to the following, except you should use your AWS account number in the image URI:
apiVersion: batch/v1
kind: Job
metadata:
  name: kube-bench
spec:
  template:
    spec:
      hostPID: true
      containers:
      - name: kube-bench
        # Push the image to your ECR and then refer to it here
        image: 316621595343.dkr.ecr.us-west-2.amazonaws.com/k8sdevopscookbook/kube-bench:latest
...
  1. Run the job using the following command. It will be executed and completed shortly:
$ kubectl apply -f job-eks.yaml
  1. List the kube-bench pods that were created in your cluster. It should show Completed as the status, similar to the following example:
$ kubectl get pods |grep kube-bench
kube-bench-7lxzn 0/1 Completed 0 5m
  1. Replace the pod name with the output of the previous command and view the pod logs to retrieve the kube-bench results. In our example, the pod name is kube-bench-7lxzn:
$ kubectl logs kube-bench-7lxzn

Now, you can run kube-bench on any managed Kubernetes cluster. After you get the logs, follow all the remediation suggestions until you clear the failed tests on the worker nodes.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.137.75