Anthropic-Cybersecurity-Skills performing-kubernetes-cis-benchmark-with-kube-bench
Audit Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/performing-kubernetes-cis-benchmark-with-kube-bench" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-performing-kubernetes-cis-benchmark-with && rm -rf "$T"
manifest:
skills/performing-kubernetes-cis-benchmark-with-kube-bench/SKILL.mdsource content
Performing Kubernetes CIS Benchmark with kube-bench
Overview
kube-bench is an open-source Go tool by Aqua Security that runs the CIS Kubernetes Benchmark checks. It verifies control plane, etcd, worker node, and policy configurations against security best practices, producing actionable pass/fail/warn reports.
When to Use
- When conducting security assessments that involve performing kubernetes cis benchmark with kube bench
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Kubernetes cluster (v1.24+)
- kubectl with cluster-admin access
- Node access for direct runs or privileged pod access
Installation
# Binary installation curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.7.3/kube-bench_0.7.3_linux_amd64.tar.gz | tar xz sudo mv kube-bench /usr/local/bin/ # Run as Kubernetes Job kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml kubectl logs job/kube-bench # Run as a pod with host access kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-master.yaml kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-node.yaml
Running Benchmarks
Full Benchmark
# Run all checks (auto-detects node type) kube-bench run # Run with JSON output kube-bench run --json > kube-bench-results.json # Run with JUnit output for CI kube-bench run --junit > kube-bench-results.xml
Component-Specific Checks
# Control plane (master) checks kube-bench run --targets master # Worker node checks kube-bench run --targets node # etcd checks kube-bench run --targets etcd # Policies checks kube-bench run --targets policies # Control plane + etcd kube-bench run --targets master,etcd
Managed Kubernetes
# Amazon EKS kube-bench run --benchmark eks-1.2.0 # Google GKE kube-bench run --benchmark gke-1.4.0 # Azure AKS kube-bench run --benchmark aks-1.0 # Red Hat OpenShift kube-bench run --benchmark rh-1.0
Filtering Results
# Show only failures kube-bench run --targets master | grep "\[FAIL\]" # Run specific check kube-bench run --check 1.2.1 # Run check group kube-bench run --group 1.2
CIS Benchmark Sections
| Section | Component | Key Checks |
|---|---|---|
| 1.1 | Control Plane - API Server | Anonymous auth, RBAC, audit logging |
| 1.2 | Control Plane - API Server | Admission controllers, encryption |
| 1.3 | Control Plane - Controller Manager | Service account tokens, bind address |
| 1.4 | Control Plane - Scheduler | Profiling, bind address |
| 2.1 | etcd | Client cert auth, peer encryption |
| 3.1 | Control Plane - Authentication | OIDC, client certs |
| 4.1 | Worker - kubelet | Anonymous auth, authorization |
| 4.2 | Worker - kubelet | TLS, read-only port |
| 5.1 | Policies - RBAC | Cluster-admin usage, service accounts |
| 5.2 | Policies - Pod Security | Privileged, host namespaces |
| 5.3 | Policies - Network | Network policies per namespace |
| 5.7 | Policies - General | Secrets, security context |
Output Example
[INFO] 1 Control Plane Security Configuration [INFO] 1.1 Control Plane Node Configuration Files [PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 600 [PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root [FAIL] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 [WARN] 1.1.4 Ensure that the scheduler pod specification file permissions are set to 600 == Summary == 45 checks PASS 12 checks FAIL 8 checks WARN 0 checks INFO
CI/CD Integration
GitHub Actions
name: CIS Benchmark on: schedule: - cron: '0 6 * * 1' jobs: kube-bench: runs-on: ubuntu-latest steps: - name: Configure kubectl uses: azure/setup-kubectl@v3 - name: Run kube-bench run: | kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml kubectl wait --for=condition=complete job/kube-bench --timeout=120s kubectl logs job/kube-bench > kube-bench-report.txt - name: Check for failures run: | FAILS=$(grep -c "\[FAIL\]" kube-bench-report.txt || true) echo "Failed checks: $FAILS" if [ "$FAILS" -gt 0 ]; then echo "::warning::$FAILS CIS benchmark checks failed" fi - name: Upload report uses: actions/upload-artifact@v4 with: name: kube-bench-report path: kube-bench-report.txt
Remediation Examples
1.2.1 - Ensure --anonymous-auth is set to false
# /etc/kubernetes/manifests/kube-apiserver.yaml spec: containers: - command: - kube-apiserver - --anonymous-auth=false
4.2.1 - Ensure --anonymous-auth is set to false on kubelet
# /var/lib/kubelet/config.yaml authentication: anonymous: enabled: false webhook: enabled: true
5.2.1 - Minimize wildcard RBAC
# Find roles with wildcard permissions kubectl get clusterroles -o json | jq '.items[] | select(.rules[].resources[] == "*") | .metadata.name'
Best Practices
- Run kube-bench before and after cluster provisioning
- Schedule weekly scans via CronJob for drift detection
- Export JSON for SIEM/compliance reporting
- Fix FAIL items first, then address WARN items
- Use benchmark profiles matching your Kubernetes distribution
- Track score over time to measure security posture improvement
- Combine with admission controllers to prevent drift