Skip to main content
Skip table of contents

Kube-bench

Kube-bench by Aqua Security is a tool which verifies that Kubernetes clusters run securely. This tool runs a check against the best practices and guidelines specified in the CIS Kubernetes Benchmark developed by the Center for Internet Security to ensure that your clusters comply with the latest security configuration standards.

Whenever a standard is not met during a scan, an Insights alert is created with comprehensive information on the issue. For more information about this application, refer to the Kube-bench official documentation.

See DKP Insights Release Notes if you wish to know which Kube-bench version is included in this release.

Enable or Disable Kube-bench

Kube-bench is enabled by default, but you can disable it at any time.

Edit the Service configuration with the following values:

CODE
kubeBench:
  enabled: true

To modify an existing installation:

  • Select Workspace, Applications, DKP-Insights, and then Edit to modify an installation.

Change the frequency of Kube-bench Scans

Kube-bench scans run by default every 35 minutes and uses Cron syntax. You can change the default by editing the Service configuration with the following values:

CODE
kubeBench:
  schedule: "@every 35m"

To modify an existing installation:

  • Select Workspace, Applications, DKP-Insights, and then Edit to modify an installation.

Change CIS benchmark version

By default Kube-bench attempts to auto-detect the running version of Kubernetes, and map this to the corresponding CIS Benchmark version. For example, Kubernetes version 1.15 is mapped to CIS Benchmark version cis-1.15 which is the benchmark version valid for Kubernetes 1.15.
For an existing or a new configuration instance, you can change this default behaviour and define a CIS benchmark version to check against, editing the service configuration with the following values:

CODE
kubeBench:
  config:
    instances:
      defaultSetup:
        additionalArgs: ["--version", "cis-1.15"]

The above configuration will configure Kube-bench to check against the cis-1.15 regardless of what running version of Kubernetes is.
To modify an existing installation:

  • Select Workspace, Applications, DKP-Insights, and then Edit to modify an installation.

Severity levels

Kube-bench validation runs only have three possible outcomes:

  • If the validation runs correctly and does not detect any anomalies, no Insight is created.

  • If the validation runs and fails due to a detected anomaly, an Insight is created with the alert level Warning.

  • If the validation check is not able to run or is incomplete, an Insight is created with the alert level Warning.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.