Skip to content

Latest commit

 

History

History
70 lines (57 loc) · 4.14 KB

README.md

File metadata and controls

70 lines (57 loc) · 4.14 KB

kube-bench adapter

The kube-bench adapter runs a CIS benchmark check with a tool called kube-bench and produces a policy report based on the Policy Report Custom Resource Definition

Running

Prerequisites:

  • To run the Kubernetes cluster locally, tools like kind or minikube can be used. Here are the steps to run the kube-bench adapater with a kind cluster.

Steps

Common steps

# 1. clone the repository
git clone https://github.com/mritunjaysharma394/policy-report-prototype.git

# 2. Enter the direcotry
cd policy-report-prototype

# 3. Create a Kubernetes cluster
kind create cluster

# 4. Create a CustomResourceDefinition
kubectl create -f kubernetes/crd/v1alpha2/wgpolicyk8s.io_policyreports.yaml

Steps to run kube-bench adapter in-cluster as a Cron-Job

# 5. Create Role, Role-Binding and Services
kubectl create -f kubernetes/role.yaml -f kubernetes/rb.yaml -f kubernetes/service.yaml

# 6. Create cron-job
kubectl create -f kubernetes/cron-job.yaml 

# 7. Watch the jobs
kubectl get jobs --watch

# 8. Check policyreports created through the custom resource
kubectl get policyreports

Steps to run kube-bench adapter from outside a cluster

Building
make build
Installing
# Create policy report using
./policyreport -name="kube-bench" -kube-bench-targets="master,nodes" -yaml="job.yaml" -namespace="default" -category="CIS Benchmarks"

# Check policyreports created through the custom resource
kubectl get policyreports
Command Line Arguments
Argument Type Default value Allowed value Usage
-category string CIS Benchmarks Any string name valid for category category of the policy report
-kube-bench-benchmark string cis-1.6 cis-1.5, cis-1.6, gke-1.0, eks-1.0, ack-1.0 specify the benchmark for kube-bench job
-kube-bench-targets string(accepts multiple values) master,node,etcd,policies master, controlplane, node, etcd, policies targets for benchmark of kube-bench job
-kube-bench-version string 1.21 Kubernetes Version like 1.20,1.21,etc specify the Kubernetes version for kube-bench job
-kubebenchImg string aquasec/kube-bench:latest aquasec/kube-bench:(kube-bench-version) kube-bench image used as part of this test
-kubeconfig string $HOME/.kube/config path to your KUBECONFIG absolute path to the kubeconfig file
-name string kube-bench Any name of string type name of policy report
-namespace string default Any name of string type namespace of the cluster
-yaml string job.yaml job.yaml, job-master.yaml, job-node.yaml, job-ack.yaml, job-aks.yaml, job-eks-asff.yaml, job-eks.yaml, job-gke.yaml, job-iks.yaml name of YAML for kube-bench job

Notes:

  • Flags -name,-namespace, -yaml, -category are user configurable and can be changed by changing the variable on the right hand side.
  • Flag -yaml input is a string that tells the type of kube-bench YAML and the strings are matched internally to the path of the job YAMLs located in pkg/kubebench/jobs. The user just need to enter the type of yaml. Example: -yaml=job.yaml, -yaml=job-master.yaml, -yaml=job-node.yaml,etc.
  • In order to generate policy report in the form of YAML, we can do kubectl get policyreports -o yaml > res.yaml which will generate it as res.yaml in this case.