kube-bench v0.6.8 releases: Checks Kubernetes security best practices as defined in the CIS Kubernetes Benchmark
kube-bench
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Please Note
- kube-bench implements the CIS Kubernetes Benchmark as closely as possible. Please raise issues here if it is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the CIS community.
- There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See CIS Kubernetes Benchmark support to see which releases of Kubernetes are covered by different releases of the benchmark.
- It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use it to check worker node configuration in these environments.
kube-bench supports the tests for Kubernetes as defined in the CIS Kubernetes Benchmarks.
| CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|---|---|---|
| 1.3.0 | cis-1.3 | 1.11-1.12 |
| 1.4.1 | cis-1.4 | 1.13-1.14 |
| 1.5.1 | cis-1.5 | 1.15 |
| 1.6.0 | cis-1.6 | 1.16- |
| GKE 1.0.0 | gke-1.0 | GKE |
| EKS 1.0.0 | eks-1.0 | EKS |
| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine, but please note that it does not automatically detect OpenShift and GKE – see the section below on Running kube-bench.
Changelog v0.6.8
- chore(lint): setup golangci-lint by @mozillazg in #1144
- Remove a needless debug log by @mozillazg in #1145
- Upgrade goreleaser to v1.7.0 by @mozillazg in #1143
- Bump golangci/golangci-lint-action from 2 to 3 by @dependabot in #1149
- Bump codecov/codecov-action from 2 to 3 by @dependabot in #1150
- Bump actions/setup-go from 2 to 3 by @dependabot in #1151
- Bump github.com/aws/aws-sdk-go from 1.43.27 to 1.43.37 by @dependabot in #1152
- Bump gorm.io/driver/postgres from 1.3.1 to 1.3.4 by @dependabot in #1153
- Bump alpine from 3.15.2 to 3.15.4 by @dependabot in #1146
- Bump gorm.io/gorm from 1.23.3 to 1.23.4 by @dependabot in #1141
- Add support to CIS-1.23 1.0.0 by @tengqm in #1148
- Bump golang from 1.18.0 to 1.18.1 by @dependabot in #1155
- Bump github.com/aws/aws-sdk-go from 1.43.37 to 1.43.41 by @dependabot in #1156
- Bump github.com/spf13/viper from 1.10.0 to 1.11.0 by @dependabot in #1157
- release: prepare v0.6.8-rc1 by @chen-keinan in #1159
Install & Use
Copyright (C) 2017 aquasecurity
