This is a base layer for common code needed to run the
CIS Benchmark for Kubernetes. Charms that include this layer
will have a cis-benchmark
action included in their builds. This action
invokes the kube-bench utility to test if Kubernetes components
comply with the benchmark recommendations.
Run the benchmark action on a charm that includes this layer. For example:
juju run-action --wait etcd/0 cis-benchmark
By default, the action will display a summary of any issues found as well as
the command that was executed on the unit. A report
command is included
to faciliate transfering the full benchmark report to a local machine for
analysis.
results:
cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
--benchmark cis-1.23 --noremediations --noresults run --targets etcd
report: juju scp etcd/0:/home/ubuntu/kube-bench-results/results-text-49681_7h .
summary: |
== Summary ==
7 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
status: completed
The following parameters can be adjusted to change the default action behavior.
See the descriptions in actions.yaml
for additional supported values beyond
the defaults.
When a failure is detected, this action can attempt to automatically fix it.
This parameter is none
by default, meaning the action will not attempt to
apply any automatic remediations.
Specify an archive of custom configuration scripts to use during the benchmark. This parameter is set by default to an archive that is known to work with snap-related components.
Specify the kube-bench
release to install and run. This parameter is set by
default to a release that is known to work with snap-related components.
Benchmark the kubernetes-worker
charm using a custom configuration archive:
juju run-action --wait kubernetes-worker/0 cis-benchmark \
config='https://github.com/charmed-kubernetes/kube-bench-config/archive/cis-1.23.zip'
results:
cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
--benchmark cis-1.23 --noremediations --noresults run --targets node
report: juju scp kubernetes-worker/0:/home/ubuntu/kube-bench-results/results-text-nmmlsvy3 .
summary: |
== Summary ==
21 checks PASS
0 checks FAIL
3 checks WARN
0 checks INFO
status: completed
Attempt to apply all known fixes to failing benchmark tests using the same configuration archive:
juju run-action --wait kubernetes-worker/0 cis-benchmark \
apply='dangerous' \
config='https://github.com/charmed-kubernetes/kube-bench-config/archive/cis-1.23.zip'
results:
cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
--benchmark cis-1.23 --noremediations --noresults run --targets node
report: juju scp kubernetes-worker/0:/home/ubuntu/kube-bench-results/results-json-dozp8j3z .
summary: Applied 3 remediations. Re-run with "apply=none" to generate a new report.
status: completed
After the cluster settles, re-run the earlier action to verify previous failures have been fixed:
juju run-action --wait kubernetes-worker/0 cis-benchmark \
config='https://github.com/charmed-kubernetes/kube-bench-config/archive/cis-1.23.zip'
results:
cmd: /home/ubuntu/kube-bench/kube-bench -D /home/ubuntu/kube-bench/cfg-ck
--benchmark cis-1.23 --noremediations --noresults run --targets node
report: juju scp kubernetes-worker/0:/home/ubuntu/kube-bench-results/results-text-4agbktbf .
summary: |
== Summary ==
23 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
status: completed
This action does not track individual remediations that it applies. However, it
does support removing all configuration that it may have set in a charm's
unitdata.kv
. To clear this data from a unit, set the apply
parameter to
reset
:
juju run-action --wait kubernetes-worker/0 cis-benchmark \
apply='reset'
results:
summary: Reset is complete. Re-run with "apply=none" to generate a new report.
status: completed