使用Kube-Bench对Kubernetes进行安全检测
1. 工具介绍
Kube-Bench是一个开源的Go语言工具,用于自动化检查Kubernetes集群是否符合CIS Kubernetes基准。这些基准包括一系列关于Kubernetes配置和部署安全性的建议和最佳实践。
Kube-Bench执行了一系列针对Kubernetes组件(如kube-apiserver、etcd、kube-scheduler、kube-controller-manager等)的测试,来检查它们是否按照CIS基准的推荐进行了配置。测试结果会被分类为PASS、FAIL或WARN,以清晰明了地显示哪些地方需要改进。
Kube-Bench是在运行时检查Kubernetes环境的工具,它并不会修改系统。你可以定期运行kube-bench来审计你的Kubernetes环境,确保其保持在最佳的安全状态。
官方仓库:https://github.com/aquasecurity/kube-bench
2. CIS Kubernetes Benchmark支持
在Kubernetes环境中,CIS Kubernetes基准就是一套针对Kubernetes的安全配置最佳实践。例如,CIS Kubernetes基准会涵盖如何配置kubelet,如何限制API服务器上的权限等内容。
进入CIS(Center for Internet Security)官网可以下载Kubernetes Benchmark文件。
Kubernetes Benchmark、kube-bench config和Kubernetes配套关系如下:
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|---|---|---|---|
| CIS | 1.5.1 | cis-1.5 | 1.15 |
| CIS | 1.6.0 | cis-1.6 | 1.16-1.18 |
| CIS | 1.20 | cis-1.20 | 1.19-1.21 |
| CIS | 1.23 | cis-1.23 | 1.22-1.23 |
| CIS | 1.24 | cis-1.24 | 1.24 |
| CIS | 1.7 | cis-1.7 | 1.25 |
| CIS | 1.8 | cis-1.8 | 1.26 |
| CIS | GKE 1.0.0 | gke-1.0 | GKE |
| CIS | GKE 1.2.0 | gke-1.2.0 | GKE |
| CIS | EKS 1.0.1 | eks-1.0.1 | EKS |
| CIS | EKS 1.1.0 | eks-1.1.0 | EKS |
| CIS | EKS 1.2.0 | eks-1.2.0 | EKS |
| CIS | ACK 1.0.0 | ack-1.0 | ACK |
| CIS | AKS 1.0.0 | aks-1.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | OCP4 1.1.0 | rh-1.0 | OCP 4.1- |
| CIS | 1.6.0-k3s | cis-1.6-k3s | k3s v1.16-v1.24 |
| DISA | Kubernetes Ver 1, Rel 6 | eks-stig-kubernetes-v1r6 | EKS |
| CIS | TKGI 1.2.53 | tkgi-1.2.53 | vmware |
| CIS | 1.7.0-rke | rke-cis-1.7 | rke v1.25-v1.27 |
| CIS | 1.7.0-rke2 | rke2-cis-1.6 | rke2 v1.25-v1.27 |
| CIS | 1.7.0-k3s | k3s-cis-1.7 | k3s v1.25-v1.27 |
最新信息请访问 CIS Kubernetes Benchmark support 查看。
默认配置下,Kube-Bench将根据目标设备上运行的Kubernete版本来确定要运行的测试集。
3. 工具安装
3.1 二进制安装
下载地址:https://github.com/aquasecurity/kube-bench/releases
[root@master1 ~]# wget https://github.com/aquasecurity/kube-bench/releases/download/v0.7.3/kube-bench_0.7.3_linux_amd64.tar.gz
[root@master1 ~]# mkdir /opt/kube-bench
# 将二进制文件解压到创建的目录
[root@master1 ~]# tar xf kube-bench_0.7.3_linux_amd64.tar.gz -C /opt/kube-bench/
# 查看文件内容
[root@master1 ~]# cd /opt/kube-bench/
[root@master1 kube-bench]# ls
cfg kube-bench
[root@master1 kube-bench]# ls cfg/
ack-1.0 cis-1.24 cis-1.6-k3s eks-1.0.1 gke-1.0 k3s-cis-1.7 rke2-cis-1.24 rke-cis-1.7
aks-1.0 cis-1.24-microk8s cis-1.7 eks-1.1.0 gke-1.2.0 rh-0.7 rke2-cis-1.7 tkgi-1.2.53
cis-1.20 cis-1.5 cis-1.8 eks-1.2.0 k3s-cis-1.23 rh-1.0 rke-cis-1.23
cis-1.23 cis-1.6 config.yaml eks-stig-kubernetes-v1r6 k3s-cis-1.24 rke2-cis-1.23 rke-cis-1.24
[root@master1 cfg]# cd cis-1.8/
# 各个组件yaml文件记录了需要检测的详细信息
[root@master1 cis-1.8]# ls
config.yaml controlplane.yaml etcd.yaml master.yaml node.yaml policies.yaml
cfg/config.yaml包含了相关测试组件配置、配置文件路径、K8S版本和CIS标准映射等。如果k8s的某些配置文件自定义到了非默认的目录,修改config.yaml里的相应目录就行。
[root@master1 kube-bench]# cat cfg/config.yaml
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yaml
master:
components:
- apiserver
- scheduler
- controllermanager
- etcd
- flanneld
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
- kubernetes
- kubelet
kubernetes:
defaultconf: /etc/kubernetes/config
apiserver:
bins:
- "kube-apiserver"
- "hyperkube apiserver"
- "hyperkube kube-apiserver"
- "apiserver"
- "openshift start master api"
- "hypershift openshift-kube-apiserver"
confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.yml
- /etc/kubernetes/manifests/kube-apiserver.manifest
- /var/snap/kube-apiserver/current/args
- /var/snap/microk8s/current/args/kube-apiserver
- /etc/origin/master/master-config.yaml
- /etc/kubernetes/manifests/talos-kube-apiserver.yaml
- /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler:
bins:
- "kube-scheduler"
...
node:
components:
- kubelet
- proxy
# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
- kubernetes
kubernetes:
defaultconf: "/etc/kubernetes/config"
kubelet:
cafile:
- "/etc/kubernetes/pki/ca.crt"
- "/etc/kubernetes/certs/ca.crt"
- "/etc/kubernetes/cert/ca.pem"
- "/var/snap/microk8s/current/certs/ca.crt"
- "/var/lib/rancher/rke2/agent/server.crt"
- "/var/lib/rancher/rke2/agent/client-ca.crt"
- "/var/lib/rancher/k3s/agent/client-ca.crt"
...
etcd:
components:
- etcd
etcd:
bins:
- "etcd"
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml
...
controlplane:
components:
- apiserver
apiserver:
bins:
- "kube-apiserver"
- "hyperkube apiserver"
- "hyperkube kube-apiserver"
- "apiserver"
policies:
components: []
managedservices:
components: []
version_mapping:
"1.15": "cis-1.5"
"1.16": "cis-1.6"
...
target_mapping:
"cis-1.5":
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
