MicroK8s analysed for CIS benchmark with kube-bench.
This repository implements a 100% automated workflow (via microk8s-kube-bench.yml + microk8s-kube-bench.sh) providing the installation of Microk8s on Ubuntu (run as a Github CI /CD worker). Kube-bench is then deployed and executed to obtain the analysis of the configuration of this Kubernetes cluster.
Last execution report on Github CI/CD is appended below. This workflow is scheduled for daily execution via cron directive in microk8s-kube-bench.yml) : it can then check new snaps (see below) of MicroK8s as they get published.
All suggestions for improvements or extensions are welcome. Same for pull requests!
Microk8s by Canonical is single-package, fully conformant and lightweight Kubernetes distribution that works on numerous flavours of Linux. It is aimed at developer workstations, IoT, Edge & CI/CD. Simple to manage, this pure upstream distribution has same-day tracking for new releases, patches generated by root project. The Snap package manager takes care of corresponding automated updates when new upstream code gets pushed.
Canonical additionally provides various preconfigured standard K8s add-ons on top of the raw distribution: dashboard, istio, knative, metallb, cilium, kubeflow, etc. They make MicroK8s quite suitable for advanced tests on a laptop. It is also a very easy way to get started with K8s on an autonomous / personal system.
As per Wikipedia: "The Center for Internet Security (CIS) is a 501(c)(3) nonprofit organization, formed in October, 2000. Its mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace".The organization is headquartered in East Greenbush, New York, with members including large corporations, government agencies, and academic institutions."
kube-bench by Aqua Security is a Go application that analyses how securely Kubernetes is deployed by running the checks documented in the CIS Kubernetes Benchmark. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
The numbered items (like 1.2.3) found in execution report below correspond to the various points being defined and commented with this same number in the official documentation of the benchmark.
Basically, the analyis is executed via a Yaml manifest defining a Kubernetes Job deployed on the cluster. This job triggers the execution of aquasec/kube-bench:latest container image pulled from Docker Hub.
This article delivers deep and interesting insights on the benchmark.
If you want to reuse this repository, just fork it in your account. You can right away execute this workflow by using the button defined in the workflow yaml via 'workflow_dispatch' directive. No commit to change code needed: just run!
