Kubernetes security is a broad topic. The multi-component nature of Kubernetes means there are several areas to consider when it comes to security; however, because Kubernetes has become a de facto standard for container orchestration, applying security hardening measures should yield similar results regardless of the cloud in most cases. In this tutorial, we will look at how to use kube-bench to perform CIS Kubernetes benchmarks.

An Introduction to CIS and Kube-Bench

The Center for Internet Security (CIS) is a community-driven, non-profit organization that aims to improve security across the Internet. As part of its efforts, the CIS has developed a comprehensive set of security benchmarks for various technologies, including Kubernetes. The CIS Kubernetes Benchmark provides detailed recommendations and best practices for hardening and securing Kubernetes deployments, covering areas such as host configuration, worker node security, control plane security, and policies.

Kube-bench is an open-source tool developed by AquaSec that helps you assess your Kubernetes cluster's security posture against the established best practices defined in the CIS Kubernetes Benchmark.


This post assumes some familiarity with Kubernetes, in addition you will need the following installed in order to follow along:

Launching a Kubernetes Cluster

If you already have a Kubernetes cluster up and running, feel free to skip this step; the important part here is to have a cluster to perform tests against.

To create a cluster using the Civo CLI, run the following command ↓

civo k3s create --region NYC1 --create-firewall --nodes 1 -m --save --switch --wait kube-bench

This will launch a one-node Kubernetes cluster in your Civo account. The -m flag would merge the kubeconfig for the new cluster with your existing kubeconfig, --switch points your kube-context to the newly created cluster.

Installing Kube-Bench

Kube-Bench can be installed directly from the GitHub releases page. If you're on a Linux distribution, you can install it using the following instructions: Grab the latest release ↓

curl -LO https://github.com/aquasecurity/kube-bench/releases/download/v0.6.8/kube-bench0.6.8darwin_amd64.tar.gz

For macOS users, you can download the binary using curl as well ↓

curl -LO <https://github.com/aquasecurity/kube-bench/releases/download/v0.6.8/kube-bench_0.6.8_darwin_amd64.tar.gz>

Note: If you're using an M1 Mac, make sure to download the arm64 version instead ↓

curl -LO <https://github.com/aquasecurity/kube-bench/releases/download/v0.6.8/kube-bench_0.6.8_darwin_arm64.tar.gz>

After downloading the archive, you can extract the binary using the following command ↓

tar -xvf kube-bench_0.6.8_<platform>_<arch>.tar.gz

Replace <platform> with linux or darwin, and <arch> with amd64 or arm64, depending on your system.

Next, create a directory where the default configuration files of kube-bench will reside ↓

sudo mkdir -p /etc/kube-bench

Untar the kube-bench files in the /etc/kube-bench directory ↓

sudo tar -xvf kube-bench_0.7.3_linux_amd64.tar.gz -C /etc/kube-bench

Finally, move the kube-bench binary to /usr/local/bin

sudo mv /etc/kube-bench/kube-bench /usr/local/bin

After following these steps, you should have a kube-bench installed and ready to use. Run the following command to verify that kube-bench is installed correctly ↓

kube-bench version

Output is similar to:


Benchmarking your Cluster

Kube-bench provides two main ways of running benchmarks against clusters: through the CLI and a Kubernetes Job. We’ll be using the CLI, to do this, run the following command ↓

kube-bench run

With the tests run, let's take a moment to examine the output and understand how to interpret the results. The kube-bench output is structured to make it easy to identify areas of concern and prioritize remediation efforts.

Here's a breakdown of the key sections in the output:

[INFO] 1 Master Node Security Configuration
[INFO] 1.1 Master Node Configuration Files
[FAIL] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
[FAIL] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)

This section covers the security configurations specific to the Kubernetes master nodes. Each check is listed with a result status of PASS, FAIL, or WARN, along with a brief description of the check.

== Remediations master ==
1.1.1 Run the below command (based on the file location on your system) on the
master node.
For example, chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml

The Remediations section provides specific instructions for remediating the failed or warned checks. These instructions can be followed to harden the security posture of your cluster.

== Summary master ==
0 checks PASS
52 checks FAIL
13 checks WARN
0 checks INFO

The Summary section provides a high-level overview of the check results, categorized by the status (PASS, FAIL, WARN, or INFO). This section allows you to quickly assess the overall security posture of your cluster.

By carefully examining the kube-bench output, you can identify areas that require attention and prioritize remediation efforts based on the severity and potential impact of the identified issues.

Clean Up (Optional)

After completing this tutorial, you may want to clean up the resources you created. To delete the Kubernetes cluster, run the following command ↓

civo k3s delete kube-bench --region NYC1

This command will delete the kube-bench cluster from the NYC1 region in your Civo account.


This tutorial explored the importance of securing Kubernetes clusters and how the Center for Internet Security (CIS) Kubernetes Benchmark provides a comprehensive set of best practices for hardening Kubernetes deployments. We then introduced kube-bench, an open-source tool Aqua Security developed, allowing you to assess your cluster's compliance with the CIS Kubernetes Benchmark.

Securing a Kubernetes cluster is an ongoing process, and staying up-to-date with the latest security best practices and regularly assessing your cluster's compliance is essential.