benchmarking-kubernetes-with-kube-bench

Installation
SKILL.md

Benchmarking Kubernetes with kube-bench

Overview

kube-bench (by Aqua Security) is an open-source tool that checks whether a Kubernetes cluster is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. It inspects the control-plane components (API server, controller manager, scheduler, etcd), the kubelet and worker-node configuration, and cluster-wide policy settings, then reports each check as PASS, FAIL, WARN, or INFO with a remediation recommendation drawn directly from the CIS guidance. Tests are configuration-driven YAML files, so kube-bench tracks new Kubernetes versions and benchmark revisions and supports managed distributions (EKS, GKE, AKS, ACK, OpenShift, RKE, k3s).

Hardening a cluster against the CIS Benchmark directly reduces the attack surface for T1610 (Deploy Container), where an adversary deploys a container to execute code or evade defenses — for example by abusing privileged containers, host namespaces, anonymous API access, or insecure kubelet settings that an unhardened cluster leaves exposed.

kube-bench can run as a standalone binary on a node, inside a container, or — most commonly — as a Kubernetes Job whose pod has the host filesystem mounted so it can read the relevant config files. Output is available as human-readable text, JSON, JUnit, or AWS Security Finding Format (ASFF) and can be pushed to a PostgreSQL database for trend tracking.

When to Use

  • When establishing a security baseline for a new Kubernetes cluster against the CIS Kubernetes Benchmark.
  • When performing periodic compliance audits of control-plane and node hardening.
  • When validating remediation after applying hardening changes (re-run to confirm checks now PASS).
  • When integrating cluster compliance scanning into CI/CD or a continuous monitoring pipeline.
  • When preparing evidence for SOC 2, PCI DSS, or internal hardening compliance.

Prerequisites

Installs
34
GitHub Stars
24.2K
First Seen
11 days ago
benchmarking-kubernetes-with-kube-bench — mukul975/anthropic-cybersecurity-skills