Hands-On Lab: Security Benchmarking with Kubebench

Kubebench checks your Kubernetes cluster against the CIS (Center for Internet Security) Kubernetes Benchmark. This lab demonstrates how to install and run Kubebench to ensure your cluster aligns with security best practices.

Hands on Lab

• Navigate to the EKS directory:

  cd /workspaces/ecr_eks_security_masterclass_public/eks/
  

• Download the Kubebench YAML file for your cluster:

  curl -sLO https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
  

• Apply the YAML file to create a Kubebench job:

  kubectl apply -f job.yaml
  

• Wait for the job to complete:

  kubectl get jobs
  

• Retrieve the results from the job pod:

  POD_NAME=$(kubectl get pods --selector=job-name=kube-bench -o jsonpath='{.items[0].metadata.name}')
  kubectl logs $POD_NAME
  

• Review the output for failed checks.

• Each check aligns with the CIS benchmark, such as:

  • API server security configurations.
  • Pod security settings.
  • RBAC configurations.

Optional Cleanup

• Delete the Kubebench job and resources:

  kubectl delete -f job.yaml