Checks whether Kubernetes is deployed according to the CIS Kubernetes Benchmark
- Stars8.1k
- Forks1.3k
- Open Issues90
Apache-2.0
- Go
- Makefile
- Dockerfile
About kube-bench
kube-bench checks whether a Kubernetes cluster is deployed securely by running the controls from the CIS Kubernetes Benchmark. It compares the cluster's actual settings against the benchmark and shows exactly where a deployment drifts from CIS guidance.
Checks are defined in YAML, and kube-bench picks the right test set automatically based on the Kubernetes version it finds on the node. It can run as a binary on control-plane and worker nodes, or inside a pod with the access it needs to inspect host configuration files.
Results flag each control as pass, fail, warn, or info, making it easy to track remediation and re-run after fixes. It is distributed as a Docker image and binaries, and the same checks back CIS scanning in Trivy and the Trivy Operator.
Key features
- Runs CIS Kubernetes Benchmark controls against a cluster
- Auto-selects the test set for the Kubernetes version
- Runs as a node binary or inside a pod
- Flags each control pass, fail, warn, or info
- Checks defined and customizable in YAML
Details
- First released
- 2017
- Platforms
- Docker · CLI
- Deployment
- self-hostable · docker
- Benchmark
- CIS Kubernetes Benchmark
- Configuration
- YAML files
- Related tools
- Trivy · Trivy Operator