26 Dec 2021

kube-bench使用

curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb -o kube-bench_0.6.2_linux_amd64.deb
sudo apt install ./kube-bench_0.6.2_linux_amd64.deb -f

wget https://github.com/aquasecurity/kube-bench/releases/download/v0.6.5/kube-bench_0.6.5_linux_amd64.tar.gz
wget https://github.com/aquasecurity/kube-bench/releases/download/v0.3.0/kube-bench_0.3.0_linux_amd64.tar.gz

$ kube-bench --config-dir=./cfg --config=./cfg/config.yaml run --targets=master
...
== Summary master ==
42 checks PASS
11 checks FAIL
11 checks WARN
0 checks INFO

== Summary total ==
42 checks PASS
11 checks FAIL
11 checks WARN
0 checks INFO

kube-bench --config-dir=./cfg --config=./cfg/config.yaml run --targets=etcd

kube-bench master --config-dir=./cfg
kube-bench node --config-dir=./cfg

# cat kube-apiserver.yaml | grep authorization-mode
    #- --authorization-mode=Node,RBAC
    - --authorization-mode=AlwaysAllow

# kube-bench --config-dir=./cfg --config=./cfg/config.yaml run --targets=master | grep authorization-mode
[FAIL] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
[FAIL] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
[FAIL] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
on the master node and set the --authorization-mode parameter to values other than AlwaysAllow.
--authorization-mode=RBAC
on the master node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
on the master node and set the --authorization-mode parameter to a value that includes RBAC,
--authorization-mode=Node,RBAC