使用Kube-Bench对Kubernetes进行安全检测

2024-06-14 08:44

本文主要是介绍使用Kube-Bench对Kubernetes进行安全检测,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

使用Kube-Bench对Kubernetes进行安全检测

1. 工具介绍

Kube-Bench是一个开源的Go语言工具,用于自动化检查Kubernetes集群是否符合CIS Kubernetes基准。这些基准包括一系列关于Kubernetes配置和部署安全性的建议和最佳实践。

Kube-Bench执行了一系列针对Kubernetes组件(如kube-apiserver、etcd、kube-scheduler、kube-controller-manager等)的测试,来检查它们是否按照CIS基准的推荐进行了配置。测试结果会被分类为PASS、FAIL或WARN,以清晰明了地显示哪些地方需要改进。

Kube-Bench是在运行时检查Kubernetes环境的工具,它并不会修改系统。你可以定期运行kube-bench来审计你的Kubernetes环境,确保其保持在最佳的安全状态。

官方仓库:https://github.com/aquasecurity/kube-bench

2. CIS Kubernetes Benchmark支持

在Kubernetes环境中,CIS Kubernetes基准就是一套针对Kubernetes的安全配置最佳实践。例如,CIS Kubernetes基准会涵盖如何配置kubelet,如何限制API服务器上的权限等内容。

进入CIS(Center for Internet Security)官网可以下载Kubernetes Benchmark文件。

Kubernetes Benchmark、kube-bench config和Kubernetes配套关系如下:

SourceKubernetes Benchmarkkube-bench configKubernetes versions
CIS1.5.1cis-1.51.15
CIS1.6.0cis-1.61.16-1.18
CIS1.20cis-1.201.19-1.21
CIS1.23cis-1.231.22-1.23
CIS1.24cis-1.241.24
CIS1.7cis-1.71.25
CIS1.8cis-1.81.26
CISGKE 1.0.0gke-1.0GKE
CISGKE 1.2.0gke-1.2.0GKE
CISEKS 1.0.1eks-1.0.1EKS
CISEKS 1.1.0eks-1.1.0EKS
CISEKS 1.2.0eks-1.2.0EKS
CISACK 1.0.0ack-1.0ACK
CISAKS 1.0.0aks-1.0AKS
RHELRedHat OpenShift hardening guiderh-0.7OCP 3.10-3.11
CISOCP4 1.1.0rh-1.0OCP 4.1-
CIS1.6.0-k3scis-1.6-k3sk3s v1.16-v1.24
DISAKubernetes Ver 1, Rel 6eks-stig-kubernetes-v1r6EKS
CISTKGI 1.2.53tkgi-1.2.53vmware
CIS1.7.0-rkerke-cis-1.7rke v1.25-v1.27
CIS1.7.0-rke2rke2-cis-1.6rke2 v1.25-v1.27
CIS1.7.0-k3sk3s-cis-1.7k3s v1.25-v1.27

最新信息请访问 CIS Kubernetes Benchmark support 查看。

默认配置下,Kube-Bench将根据目标设备上运行的Kubernete版本来确定要运行的测试集。

3. 工具安装

3.1 二进制安装

下载地址:https://github.com/aquasecurity/kube-bench/releases

[root@master1 ~]# wget https://github.com/aquasecurity/kube-bench/releases/download/v0.7.3/kube-bench_0.7.3_linux_amd64.tar.gz
[root@master1 ~]# mkdir /opt/kube-bench
# 将二进制文件解压到创建的目录
[root@master1 ~]# tar xf kube-bench_0.7.3_linux_amd64.tar.gz -C /opt/kube-bench/# 查看文件内容
[root@master1 ~]# cd /opt/kube-bench/
[root@master1  kube-bench]# ls
cfg  kube-bench
[root@master1  kube-bench]# ls cfg/
ack-1.0   cis-1.24           cis-1.6-k3s  eks-1.0.1                 gke-1.0       k3s-cis-1.7    rke2-cis-1.24  rke-cis-1.7
aks-1.0   cis-1.24-microk8s  cis-1.7      eks-1.1.0                 gke-1.2.0     rh-0.7         rke2-cis-1.7   tkgi-1.2.53
cis-1.20  cis-1.5            cis-1.8      eks-1.2.0                 k3s-cis-1.23  rh-1.0         rke-cis-1.23
cis-1.23  cis-1.6            config.yaml  eks-stig-kubernetes-v1r6  k3s-cis-1.24  rke2-cis-1.23  rke-cis-1.24
[root@master1 cfg]# cd cis-1.8/
# 各个组件yaml文件记录了需要检测的详细信息
[root@master1 cis-1.8]# ls
config.yaml  controlplane.yaml  etcd.yaml  master.yaml  node.yaml  policies.yaml

cfg/config.yaml包含了相关测试组件配置、配置文件路径、K8S版本和CIS标准映射等。如果k8s的某些配置文件自定义到了非默认的目录,修改config.yaml里的相应目录就行。

[root@master1 kube-bench]# cat cfg/config.yaml
---
## Controls Files.
# These are YAML files that hold all the details for running checks.
#
## Uncomment to use different control file paths.
# masterControls: ./cfg/master.yaml
# nodeControls: ./cfg/node.yamlmaster:components:- apiserver- scheduler- controllermanager- etcd- flanneld# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark- kubernetes- kubeletkubernetes:defaultconf: /etc/kubernetes/configapiserver:bins:- "kube-apiserver"- "hyperkube apiserver"- "hyperkube kube-apiserver"- "apiserver"- "openshift start master api"- "hypershift openshift-kube-apiserver"confs:- /etc/kubernetes/manifests/kube-apiserver.yaml- /etc/kubernetes/manifests/kube-apiserver.yml- /etc/kubernetes/manifests/kube-apiserver.manifest- /var/snap/kube-apiserver/current/args- /var/snap/microk8s/current/args/kube-apiserver- /etc/origin/master/master-config.yaml- /etc/kubernetes/manifests/talos-kube-apiserver.yaml- /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yamldefaultconf: /etc/kubernetes/manifests/kube-apiserver.yamlscheduler:bins:- "kube-scheduler"...
node:components:- kubelet- proxy# kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark- kuberneteskubernetes:defaultconf: "/etc/kubernetes/config"kubelet:cafile:- "/etc/kubernetes/pki/ca.crt"- "/etc/kubernetes/certs/ca.crt"- "/etc/kubernetes/cert/ca.pem"- "/var/snap/microk8s/current/certs/ca.crt"- "/var/lib/rancher/rke2/agent/server.crt"- "/var/lib/rancher/rke2/agent/client-ca.crt"- "/var/lib/rancher/k3s/agent/client-ca.crt"
...etcd:components:- etcdetcd:bins:- "etcd"datadirs:- /var/lib/etcd/default.etcd- /var/lib/etcd/data.etcdconfs:- /etc/kubernetes/manifests/etcd.yaml- /etc/kubernetes/manifests/etcd.yml
...controlplane:components:- apiserverapiserver:bins:- "kube-apiserver"- "hyperkube apiserver"- "hyperkube kube-apiserver"- "apiserver"policies:components: []managedservices:components: []version_mapping:"1.15": "cis-1.5""1.16": "cis-1.6"
...target_mapping:"cis-1.5":- "master"- "node"- "controlplane"- "etcd"- "policies"
...

3.2 源码安装

工具使用go语言开发,执行如下步骤进行源码安装:

# 安装go
yum install go
# 配置go国内镜像源
go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.cn,directgo install github.com/aquasecurity/kube-bench@latest
#安装成功后位于当前用户的go目录下
/root/go/bin./kube-bench --help# Run all checks./kube-bench

4. 运行kube-bench检测

kube-bench支持etcd组件、master节点、node节点等检测。命令运行语法:

./kube-bench --config-dir <配置目录> --config <配置文件> run --targets=<需要检测的组件>

本文测试的K8S环境如下:

# CPU架构
[root@master1 ~]# lscpu | grep 架构
架构:                           x86_64# K8S集群信息,master节点同时也承担worker节点的角色
[root@master1 ~]# kubectl get nodes
NAME        STATUS   ROLES                  AGE   VERSION
master1   Ready    control-plane,master   44d   v1.27.6
master2   Ready    control-plane,master   44d   v1.27.6
master3   Ready    control-plane,master   44d   v1.27.6
# K8S版本为1.27.6
[root@master1 ~]# kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.6", GitCommit:"741c8db18a52787d734cbe4795f0b4ad860906d6", GitTreeState:"clean", BuildDate:"2023-09-13T09:21:34Z", GoVersion:"go1.20.8", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.6", GitCommit:"741c8db18a52787d734cbe4795f0b4ad860906d6", GitTreeState:"clean", BuildDate:"2023-09-13T09:14:09Z", GoVersion:"go1.20.8", Compiler:"gc", Platform:"linux/amd64"}# 操作系统为openEuler
[root@master1 ~]# cat /etc/openEuler-latest
openeulerversion=openEuler-22.03-LTS
compiletime=2022-03-30-16-23-56
gccversion=10.3.1-10.oe2203
kernelversion=5.10.0-60.18.0.50.oe2203
openjdkversion=1.8.0.312.b07-11.oe2203

4.1 kube-bench检测etcd组件

[root@master1 kube-bench]# ./kube-bench --config-dir ./cfg/ --config ./cfg/config.yaml run --targets=etcd
[INFO] 2 Etcd Node Configuration
[INFO] 2 Etcd Node Configuration
[FAIL] 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)
[FAIL] 2.2 Ensure that the --client-cert-auth argument is set to true (Automated)
[PASS] 2.3 Ensure that the --auto-tls argument is not set to true (Automated)
[FAIL] 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)
[FAIL] 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)
[PASS] 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)
[WARN] 2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)== Remediations etcd ==
2.1 Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>2.2 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
node and set the below parameter.
--client-cert-auth="true"2.4 Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>2.5 Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master
node and set the below parameter.
--peer-client-cert-auth=true2.7 [Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>== Summary etcd ==
2 checks PASS
4 checks FAIL
1 checks WARN
0 checks INFO== Summary total ==
2 checks PASS
4 checks FAIL
1 checks WARN
0 checks INFO

根据汇总结果,检测出4个Fail,1个Warn,打印结果给出了相应的详细问题说明和解决方法。

4.2 kube-bench检测master节点

[root@master1 kube-bench]# ./kube-bench --config-dir ./cfg/ --config ./cfg/config.yaml run --targets=master
[INFO] 1 Control Plane Security Configuration
[INFO] 1.1 Control Plane Node Configuration Files
[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
[FAIL] 1.1.7 Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)
[FAIL] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)
[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)
[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)
[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
[FAIL] 1.1.13 Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)
[FAIL] 1.1.15 Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)
[FAIL] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)
[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)
[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)
[INFO] 1.2 API Server
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)
[PASS] 1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)
[WARN] 1.2.3 Ensure that the --DenyServiceExternalIPs is set (Manual)
[PASS] 1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)
[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
[PASS] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
[PASS] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
[PASS] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
[WARN] 1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)
[PASS] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
[WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
[WARN] 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
[PASS] 1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)
[PASS] 1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
[PASS] 1.2.15 Ensure that the admission control plugin NodeRestriction is set (Automated)
[FAIL] 1.2.16 Ensure that the --profiling argument is set to false (Automated)
[FAIL] 1.2.17 Ensure that the --audit-log-path argument is set (Automated)
[FAIL] 1.2.18 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
[FAIL] 1.2.19 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
[FAIL] 1.2.20 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
[WARN] 1.2.21 Ensure that the --request-timeout argument is set as appropriate (Manual)
[PASS] 1.2.22 Ensure that the --service-account-lookup argument is set to true (Automated)
[PASS] 1.2.23 Ensure that the --service-account-key-file argument is set as appropriate (Automated)
[PASS] 1.2.24 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)
[PASS] 1.2.25 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)
[PASS] 1.2.26 Ensure that the --client-ca-file argument is set as appropriate (Automated)
[PASS] 1.2.27 Ensure that the --etcd-cafile argument is set as appropriate (Automated)
[WARN] 1.2.28 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)
[WARN] 1.2.29 Ensure that encryption providers are appropriately configured (Manual)
[PASS] 1.2.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)
[INFO] 1.3 Controller Manager
[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
[INFO] 1.4 Scheduler
[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)== Remediations master ==
1.1.7 Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod 600 /etc/kubernetes/manifests/etcd.yaml1.1.8 Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root /etc/kubernetes/manifests/etcd.yaml1.1.9 Run the below command (based on the file location on your system) on the control plane node.
For example, chmod 600 <path/to/cni/files>1.1.10 Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>1.1.12 On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'.
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd1.1.13 Run the below command (based on the file location on your system) on the control plane node.
For example, chmod 600 /etc/kubernetes/admin.conf1.1.15 Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod 600 /etc/kubernetes/scheduler.conf1.1.17 Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod 600 /etc/kubernetes/controller-manager.conf1.1.20 Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.crt1.1.21 Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the below parameter.
--anonymous-auth=false1.2.3 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and remove the `DenyServiceExternalIPs`
from enabled admission plugins.1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
the apiserver and kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the control plane node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>1.2.9 Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameters.
--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>1.2.11 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --enable-admission-plugins parameter to include
AlwaysPullImages.
--enable-admission-plugins=...,AlwaysPullImages,...1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --enable-admission-plugins parameter to include
SecurityContextDeny, unless PodSecurityPolicy is already in place.
--enable-admission-plugins=...,SecurityContextDeny,...1.2.16 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the below parameter.
--profiling=false1.2.17 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --audit-log-path parameter to a suitable path and
file where you would like audit logs to be written, for example,
--audit-log-path=/var/log/apiserver/audit.log1.2.18 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --audit-log-maxage parameter to 30
or as an appropriate number of days, for example,
--audit-log-maxage=301.2.19 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
value. For example,
--audit-log-maxbackup=101.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.
For example, to set it as 100 MB, --audit-log-maxsize=1001.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameter as appropriate and if needed.
For example, --request-timeout=300s1.2.28 Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the --encryption-provider-config parameter to the path of that file.
For example, --encryption-provider-config=</path/to/EncryptionConfig/File>1.2.29 Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.1.3.1 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,
for example, --terminated-pod-gc-threshold=101.3.2 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the control plane node and set the below parameter.
--profiling=false1.4.1 Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file
on the control plane node and set the below parameter.
--profiling=false== Summary master ==
33 checks PASS
14 checks FAIL
13 checks WARN
0 checks INFO== Summary total ==
33 checks PASS
14 checks FAIL
13 checks WARN
0 checks INFO

检测到14个Fail,可以根据给出的修补方案进行修改。

4.3 kube-bench检测worker节点

[root@master1 kube-bench]# ./kube-bench --config-dir ./cfg/ --config ./cfg/config.yaml run --targets=node
[INFO] 4 Worker Node Security Configuration
[INFO] 4.1 Worker Node Configuration Files
[FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
[WARN] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)
[WARN] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)
[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)
[FAIL] 4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)
[PASS] 4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)
[INFO] 4.2 Kubelet
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Automated)
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
[PASS] 4.2.4 Verify that the --read-only-port argument is set to 0 (Manual)
[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
[PASS] 4.2.6 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
[PASS] 4.2.7 Ensure that the --hostname-override argument is not set (Manual)
[PASS] 4.2.8 Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)
[WARN] 4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
[PASS] 4.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)
[PASS] 4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
[WARN] 4.2.12 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
[WARN] 4.2.13 Ensure that a limit is set on pod PIDs (Manual)== Remediations node ==
4.1.1 Run the below command (based on the file location on your system) on the each worker node.
For example, chmod 600 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf4.1.3 Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 600 /etc/kubernetes/proxy.conf4.1.4 Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root /etc/kubernetes/proxy.conf4.1.7 Run the following command to modify the file permissions of the
--client-ca-file chmod 600 <filename>4.1.9 Run the following command (using the config file location identified in the Audit step)
chmod 600 /var/lib/kubelet/config.yaml4.2.9 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location
of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile`
to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service4.2.12 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
If using executable arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service4.2.13 Decide on an appropriate level for this parameter and set it,
either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting.== Summary node ==
15 checks PASS
2 checks FAIL
6 checks WARN
0 checks INFO== Summary total ==
15 checks PASS
2 checks FAIL
6 checks WARN
0 checks INFO

检测到2个Fail,可以根据给出的修补方案进行修改。

4.4 执行全部检测

# 不加targets执行全部检测
[root@master1 kube-bench]# ./kube-bench --config-dir ./cfg/ --config ./cfg/config.yaml run

4.5 手动设置不安全的参数进行检测

可以手动构造不安全的设置,使用工具进行检测:

  1. 构造etcd不安全设置,将/etc/kubernetes/manifests/etcd.yaml文件里的client-cert-auth=true改为client-cert-auth=false。

  2. 构造kube-apiserver不安全设置,将/etc/kubernetes/manifests/kube-apiserver.yaml文件里的authorization-mode授权模式改为AlwaysAllow。

修改后重启kubelet使配置生效,然后使用kube-bench检测是否能检测到,详细操作查看文末的参考资料。

5. 总结

kube-bench是一款强大的工具,它可以帮助我们发现哪些Kubernetes配置没有遵循CIS的最佳实践,从而改正这些问题,增强我们的Kubernetes集群的安全性。虽然kube-bench不能捕获所有可能的安全问题,但它至少可以帮助我们消除最常见的一些安全漏洞。

6. 问题记录

  1. Centos7.9 K8S 环境下面运行kube-bench遇到glibc配套问题,需要更新系统的glibc版本到2.32,由于更新glibc可能造成系统不稳定,改换了系统进行测试。
[root@k8s-master kube-bench]# ./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml run --targets=etcd
./kube-bench: /lib64/libc.so.6: version `GLIBC_2.32' not found (required by ./kube-bench)
./kube-bench: /lib64/libc.so.6: version `GLIBC_2.34' not found (required by ./kube-bench)

7. 参考资料

https://www.cnblogs.com/renshengdezheli/p/17640119.html

这篇关于使用Kube-Bench对Kubernetes进行安全检测的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/1059918

相关文章

中文分词jieba库的使用与实景应用(一)

知识星球:https://articles.zsxq.com/id_fxvgc803qmr2.html 目录 一.定义: 精确模式(默认模式): 全模式: 搜索引擎模式: paddle 模式(基于深度学习的分词模式): 二 自定义词典 三.文本解析   调整词出现的频率 四. 关键词提取 A. 基于TF-IDF算法的关键词提取 B. 基于TextRank算法的关键词提取

使用SecondaryNameNode恢复NameNode的数据

1)需求: NameNode进程挂了并且存储的数据也丢失了,如何恢复NameNode 此种方式恢复的数据可能存在小部分数据的丢失。 2)故障模拟 (1)kill -9 NameNode进程 [lytfly@hadoop102 current]$ kill -9 19886 (2)删除NameNode存储的数据(/opt/module/hadoop-3.1.4/data/tmp/dfs/na

Hadoop数据压缩使用介绍

一、压缩原则 (1)运算密集型的Job,少用压缩 (2)IO密集型的Job,多用压缩 二、压缩算法比较 三、压缩位置选择 四、压缩参数配置 1)为了支持多种压缩/解压缩算法,Hadoop引入了编码/解码器 2)要在Hadoop中启用压缩,可以配置如下参数

Makefile简明使用教程

文章目录 规则makefile文件的基本语法:加在命令前的特殊符号:.PHONY伪目标: Makefilev1 直观写法v2 加上中间过程v3 伪目标v4 变量 make 选项-f-n-C Make 是一种流行的构建工具,常用于将源代码转换成可执行文件或者其他形式的输出文件(如库文件、文档等)。Make 可以自动化地执行编译、链接等一系列操作。 规则 makefile文件

使用opencv优化图片(画面变清晰)

文章目录 需求影响照片清晰度的因素 实现降噪测试代码 锐化空间锐化Unsharp Masking频率域锐化对比测试 对比度增强常用算法对比测试 需求 对图像进行优化,使其看起来更清晰,同时保持尺寸不变,通常涉及到图像处理技术如锐化、降噪、对比度增强等 影响照片清晰度的因素 影响照片清晰度的因素有很多,主要可以从以下几个方面来分析 1. 拍摄设备 相机传感器:相机传

综合安防管理平台LntonAIServer视频监控汇聚抖动检测算法优势

LntonAIServer视频质量诊断功能中的抖动检测是一个专门针对视频稳定性进行分析的功能。抖动通常是指视频帧之间的不必要运动,这种运动可能是由于摄像机的移动、传输中的错误或编解码问题导致的。抖动检测对于确保视频内容的平滑性和观看体验至关重要。 优势 1. 提高图像质量 - 清晰度提升:减少抖动,提高图像的清晰度和细节表现力,使得监控画面更加真实可信。 - 细节增强:在低光条件下,抖

【Prometheus】PromQL向量匹配实现不同标签的向量数据进行运算

✨✨ 欢迎大家来到景天科技苑✨✨ 🎈🎈 养成好习惯,先赞后看哦~🎈🎈 🏆 作者简介:景天科技苑 🏆《头衔》:大厂架构师,华为云开发者社区专家博主,阿里云开发者社区专家博主,CSDN全栈领域优质创作者,掘金优秀博主,51CTO博客专家等。 🏆《博客》:Python全栈,前后端开发,小程序开发,人工智能,js逆向,App逆向,网络系统安全,数据分析,Django,fastapi

pdfmake生成pdf的使用

实际项目中有时会有根据填写的表单数据或者其他格式的数据,将数据自动填充到pdf文件中根据固定模板生成pdf文件的需求 文章目录 利用pdfmake生成pdf文件1.下载安装pdfmake第三方包2.封装生成pdf文件的共用配置3.生成pdf文件的文件模板内容4.调用方法生成pdf 利用pdfmake生成pdf文件 1.下载安装pdfmake第三方包 npm i pdfma

零基础学习Redis(10) -- zset类型命令使用

zset是有序集合,内部除了存储元素外,还会存储一个score,存储在zset中的元素会按照score的大小升序排列,不同元素的score可以重复,score相同的元素会按照元素的字典序排列。 1. zset常用命令 1.1 zadd  zadd key [NX | XX] [GT | LT]   [CH] [INCR] score member [score member ...]

业务中14个需要进行A/B测试的时刻[信息图]

在本指南中,我们将全面了解有关 A/B测试 的所有内容。 我们将介绍不同类型的A/B测试,如何有效地规划和启动测试,如何评估测试是否成功,您应该关注哪些指标,多年来我们发现的常见错误等等。 什么是A/B测试? A/B测试(有时称为“分割测试”)是一种实验类型,其中您创建两种或多种内容变体——如登录页面、电子邮件或广告——并将它们显示给不同的受众群体,以查看哪一种效果最好。 本质上,A/B测