Audit Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control plane, worker nodes, and RBAC.
kube-bench is an open-source Go tool by Aqua Security that runs the CIS Kubernetes Benchmark checks. It verifies control plane, etcd, worker node, and policy configurations against security best practices, producing actionable pass/fail/warn reports.
# Binary installation
curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.7.3/kube-bench_0.7.3_linux_amd64.tar.gz | tar xz
sudo mv kube-bench /usr/local/bin/
# Run as Kubernetes Job
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job/kube-bench
# Run as a pod with host access
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-master.yaml
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-node.yaml
# Run all checks (auto-detects node type)
kube-bench run
# Run with JSON output
kube-bench run --json > kube-bench-results.json
# Run with JUnit output for CI
kube-bench run --junit > kube-bench-results.xml
# Control plane (master) checks
kube-bench run --targets master
# Worker node checks
kube-bench run --targets node
# etcd checks
kube-bench run --targets etcd
# Policies checks
kube-bench run --targets policies
# Control plane + etcd
kube-bench run --targets master,etcd
# Amazon EKS
kube-bench run --benchmark eks-1.2.0
# Google GKE
kube-bench run --benchmark gke-1.4.0
# Azure AKS
kube-bench run --benchmark aks-1.0
# Red Hat OpenShift
kube-bench run --benchmark rh-1.0
# Show only failures
kube-bench run --targets master | grep "\[FAIL\]"
# Run specific check
kube-bench run --check 1.2.1
# Run check group
kube-bench run --group 1.2
| Section | Component | Key Checks |
|---|---|---|
| 1.1 | Control Plane - API Server | Anonymous auth, RBAC, audit logging |
| 1.2 | Control Plane - API Server | Admission controllers, encryption |
| 1.3 | Control Plane - Controller Manager | Service account tokens, bind address |
| 1.4 | Control Plane - Scheduler | Profiling, bind address |
| 2.1 | etcd | Client cert auth, peer encryption |
| 3.1 | Control Plane - Authentication | OIDC, client certs |
| 4.1 | Worker - kubelet | Anonymous auth, authorization |
| 4.2 | Worker - kubelet | TLS, read-only port |
| 5.1 | Policies - RBAC | Cluster-admin usage, service accounts |
| 5.2 | Policies - Pod Security | Privileged, host namespaces |
| 5.3 | Policies - Network | Network policies per namespace |
| 5.7 | Policies - General | Secrets, security context |
[INFO] 1 Control Plane Security Configuration
[INFO] 1.1 Control Plane Node Configuration Files
[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 600
[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root
[FAIL] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 600
[WARN] 1.1.4 Ensure that the scheduler pod specification file permissions are set to 600
== Summary ==
45 checks PASS
12 checks FAIL
8 checks WARN
0 checks INFO