Kube security CIS

Introduction

Kube security CIS runs the CIS benchmark on the Kubernetes cluster and checks for the compliance of the cluster with the CIS benchmark. CIS benchmark is a set of security best practices to improve the resilience of the Kubernetes cluster.

Kube Security CIS

Use cases

Kube security CIS:

Determines the compliance of the Kubernetes cluster with the CIS benchmark.
Finds and fixes the security issues in the Kubernetes cluster.

note

Kubernetes > 1.16 is required to execute this fault.
Appropriate permissions to execute this fault.

Mandatory tunables

Tunable	Description	Notes
SOCKET_PATH	Path to the `containerd/crio/docker` socket file.	Default: `/run/containerd/containerd.sock`.

Optional tunables

Tunable	Description	Notes
CONFIG_FILE_PATH	Provide the path to the config file to tune the benchmark	Default: /tmp/cis-bench/config.yaml. For more information, go to tune benchmark using config file.
TOTAL_CHAOS_DURATION	Duration that you specify, through which chaos is injected into the target resource (in seconds).	Default: 30 s. For more information, go to duration of the chaos.
CHAOS_INTERVAL	Time interval between two successive instance poweroffs (in seconds).	Default: 30 s. For more information, go to chaos interval.
SEQUENCE	Sequence of chaos execution for multiple target pods.	Default: parallel. Supports `serial` sequence. For more information, go to sequence of chaos execution.
RAMP_TIME	Period to wait before and after injecting chaos (in seconds).	For example, 30 s. For more information, go to ramp time.

Sample config file

To tune the benchmark to run only a subset of the tests, you can provide a config file to the fault. The config file contains the list of tests (in the YAML format) to be executed. The config file can be mounted as a configMap on the experiment pod.

The following YAML snippet illustrates the format of config file provided as a configMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cis-bench
  namespace: litmus
data:
  config.yaml: |
    KubernetesVersion: 1.18
    Benchmark: gke-1.2.0
    Target:
      - master
      - node
      - etcd
      - policies
    CheckGroup:
      - "3.1"
      - "3.2"
    CheckIndividual:
      - "3.1.1"
      - "3.1.2"
      - "3.1.3"
    ExcludeGroup:
      - "3.1"
      - "3.2"
    ExcludeIndividual:
      - "3.1.2"
      - "3.1.3"
      - "3.1.4"

Kubernetes version

To specify the Kubernetes version manually, use the KubernetesVersion environment variable in the config file. If the Kubernetes version is not specified, the experiment automatically detects the Kubernetes version.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cis-bench
  namespace: litmus
data:
  config.yaml: |
    KubernetesVersion: 1.18

tip

Either Benchmark or KubernetesVersion environment variables can be specified in the config file. Providing both the variables throws an error.

Benchmark platform

To specify the benchmark platform manually, use the BenchmarkPlatform environment variable in the config file. This specifies the CIS benchmark version to be used. If the benchmark platform is not specified, the experiment automatically detects the Kubernetes version and uses the corresponding CIS benchmark version. Go to supported benchmark versions to know more.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cis-bench
  namespace: litmus
data:
  config.yaml: |
    Benchmark: gke-1.2.0

tip

Either Benchmark or KubernetesVersion environment variables can be specified in the config file. Providing both the variables throws an error.

Targets

To specify the targets manually, use the Targets environment variable in the config file. This specifies the list of tests to be executed. If the targets are not specified, the experiment executes the tests for all the targets. Supported targets include [master, node, etcd, policies, managedservices].

For example, if the target is policies, the experiment executes the tests for all the policies. Certain benchmark versions support only a subset of the targets. Go to supported targets to know more about each benchmark version.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cis-bench
  namespace: litmus
data:
  config.yaml: |
    Target:
      - master
      - node
      - etcd

Specify groups or individual tests

To specify the groups or individual tests manually, use the CheckIndividual and/or CheckGroup environment variable in the config file. This specifies the list of tests to be executed. For example, if 1.1 is provided, the experiment executes the tests for the 1.1.x group of tests only.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cis-bench
  namespace: litmus
data:
  config.yaml: |
    CheckGroup:
      - "3.1"
      - "3.2"
    CheckIndividual:
      - "4.1.1"
      - "4.1.2"
      - "4.1.3"

Skip tests

To skip certain tests, use the ExcludeIndividual and/or ExcludeGroup environment variable in the config file. This specifies the list of tests to be skipped. For example, if 1.1 is provided, the experiment skips the tests for the 1.1.x group of tests.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cis-bench
  namespace: litmus
data:
  config.yaml: |
    ExcludeGroup:
      - "3.1"
      - "3.2"
    ExcludeIndividual:
      - "4.1.2"
      - "4.1.3"
      - "4.1.4"

Introduction​

Use cases​

Mandatory tunables

Optional tunables

Sample config file​

Kubernetes version​

Benchmark platform​

Targets​

Specify groups or individual tests​

Skip tests​