Quickstart - Aqua Security Kube-Bench

Michael Levan - Nov 9 '22 - - Dev Community

In this Quickstart post, you’ll learn about how to get Aqua Security Kube-Bench up and running.

Over the course of the past few weeks, I’ve been testing out and researching a ton of different Kubernetes security scanning tools, and kube-bench is definitely a great tool to get started with.

The Environment

To run this test, two Ubuntu servers were configured. One Ubuntu server is the Control Plane and the other is the Worker Node.

You don’t need Kubeadm to run this. Really, all you need is a Kubernetes cluster running anywhere (even Minikube). If you have a Managed Kubernetes Service in the cloud, that would work as well.

If you want to test this out in Kubeadm, you can install Kubeadm from the instructions here: https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/Bare-Metal/kubeadm.

The purpose of running this on Kubeadm was because it’s an environment that’s fully managed by the engineer, which means the results are a direct reflection of Kubernetes not being secure out of the box.

Image description

Installation

The installation process is straightforward and typically a few commands. Of course, this is going to all depend on your Operating System. The below example is for Ubuntu.

First, download the package.

curl -L [https://github.com/aquasecurity/kube-bench/releases/download/v0.6.10/kube-bench_0.6.10_linux_amd64.deb](https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb) -o kube-bench_0.6.10_linux_amd64.deb
Enter fullscreen mode Exit fullscreen mode

Image description

Next, install kube-bench.

sudo apt install ./kube-bench_0.6.10_linux_amd64.deb -f
Enter fullscreen mode Exit fullscreen mode

Image description

Running Kube-Bench

To confirm kube-bench is installed, test it out on the terminal.

kube-bench
Enter fullscreen mode Exit fullscreen mode

You don’t need to specify any flags or switches. You can simply run kube-bench and get an output for remediations.

When you run kube-bench, you’ll see a lot of output. To break it down at a high level, the output is:

  • All tests run on the Control Plane for each Control Plane resource (Scheduler, etcd, Controller, API server).
  • You’ll see remediations for other Controllers and Kubernetes resources like RBAC.
  • All remediation recommendations including how to fix the problem, links to the fix, and the actual commands you need.
  • What passed and what failed in the Control Plane.

Image description

Image description

With all of the output from the kube-bench command, you can make decisions and create remediation practices in your environment.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .