Skip to main content
HashnodeSanmarg.dev

Command Palette

Search for a command to run...

Harden Your Managed Kubernetes Cluster

Automating CIS Benchmark Fixes with kube-bench and Ansible

Published
3 min read
Harden Your Managed Kubernetes Cluster
S
Sanmarg Paranjpe

Security Auditing in Kubernetes

Kubernetes clusters, be it AKS, EKS, or on-premise clusters, have multiple resources that that exposed to the internet. These could serve as an endpoint for attackers. Cloud providers secure the underlying infrastructure, but it is our responsibility to secure our workloads and clusters. The more components we have, the more complex it becomes to secure them, so there is a need for a benchmark on which we can evaluate. For industries like Government, Healthcare, it is mandatory to follow the compliances like PCI DSS, HIPAA, and GDPR.

CIS Benchmark

What is CIS Benchmark?

Center for Internet Security (CIS) provides a benchmark for all types of resources, which we can use as a baseline of security for our clusters for security hardening. These include configurations for both the control plane and worker node components.

Why CIS Benchmark?

CIS Benchmark is often recognised as the standard best practice for security hardening. It includes several checks for the configuration of the Kubernetes cluster and also provides the steps on how we can mitigate these if the checks fail.

We can directly download the CIS Benchmark for Kubernetes from the CIS website here.

Benchmarking Kubernetes Cluster

Kube-bench

Kube-bench is a tool by Aqua Security that evaluates the current configuration of the Kubernetes cluster with CIS Benchmarks, and generates a report, It also includes the steps to mitigate the issues related to the different components of the Kubernetes cluster. We can say it is an automated benchmarking tool that runs checks against the current configuration.

Deploying Kube-bench

Here in our case, our AKS cluster has 10 worker nodes, so it is not efficient to manually go to each node and install kube-bench there and then run to get the CIS Benchmark report. So we will be deploying kube-bench as a daemonset (each node of the cluster has a pod of that daemonset). So let’s write the manifest file for this as below:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-bench
  namespace: kube-system
  labels:
    app: kube-bench
spec:
  selector:
    matchLabels:
      name: kube-bench
  template:
    metadata:
      labels:
        name: kube-bench
    spec:
      hostPID: true
      containers:
        - name: kube-bench
          image: aquasec/kube-bench:latest
          command: ["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"]
          volumeMounts:
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
              readOnly: true
            - name: etc-systemd
              mountPath: /etc/systemd
              readOnly: true
            - name: etc-default
              mountPath: /etc/default
              readOnly: true
            - name: etc-kubernetes
              mountPath: /etc/kubernetes
              readOnly: true
      restartPolicy: Never
      volumes:
        - name: var-lib-kubelet
          hostPath:
            path: /var/lib/kubelet
        - name: etc-systemd
          hostPath:
            path: /etc/systemd
        - name: etc-default
          hostPath:
            path: /etc/default
        - name: etc-kubernetes
          hostPath:
            path: /etc/kubernetes

Now, we need to deploy this manifest to our cluster.

Let’s check for the kube-bench pods in our cluster.

The CIS-Benchmark report lies in the logs of these pods as you can see the status as completed we can see for the logs of these pods as below.

Remediation

Here, it’s not feasible to go into each node and disable the anonymous auth, so for automating this, we will be using Ansible playbooks. Below is the playbook for the same, considering the inventory file is ready.

---
- name: Fix --anonymous-auth on AKS worker nodes
  hosts: aks_nodes
  become: true
  tasks:
    - name: Add --anonymous-auth=false to kubelet config
      lineinfile:
        path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
        regexp: '^(\s*ExecStart=.*)'
        line: '\1 --anonymous-auth=false'
        backrefs: yes

    - name: Reload systemd and restart kubelet
      block:
        - name: Reload systemd
          command: systemctl daemon-reexec

        - name: Restart kubelet
          service:
            name: kubelet
            state: restarted

Now, we need to run this playbook to fix for this anonymous auth.

Post Fix Validation

We can again run kube-bench and check the logs to validate whether the issue is being fixed or not.

Conclusion

  • Security is critical in any Kubernetes environment—CIS Benchmarks help enforce best practices.

  • kube-bench is a powerful tool to perform CIS compliance scans on Kubernetes nodes.

  • Ansible automation enables efficient, repeatable remediation of benchmark violations across all nodes.

  • The combined approach ensures continuous compliance and minimizes manual configuration drift.

#kubernetes#security#cloud#ansible#azure
16 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Sanmarg.dev

21 posts