CIS Kubernetes Benchmark
The Center for Internet Security (CIS) publishes the CIS Kubernetes Benchmark as a framework of specific steps to configure Kubernetes more securely and with standards that are commensurate to various industry regulations.
When a new Kubernetes version is released as part of a supported Red Hat OpenShift version, IBM engineers compare the default configuration of a cluster that runs that Kubernetes version against the benchmark and publishes the results in this documentation. You can review how specific versions of your Red Hat® OpenShift® on IBM Cloud® clusters meet the CIS Kubernetes Benchmark.
Available benchmark versions
Use the list to find CIS Kubernetes Benchmark results for available versions.
Using the benchmark
As a security administrator or auditor, you might want to compare your company's internal standards and external regulatory requirements with the CIS Kubernetes Benchmark. The benchmark recommendations are provided by the Center for Internet Security, not by IBM. IBM might not configure default settings in a way that meets every recommendation, but documents whether the recommendation is met to help you in your review. For example, you might use the benchmark in an audit to confirm that basic security measures are in place, and to identify areas where you might enhance your security.
What does the benchmark cover?
The benchmark covers recommendations for master components, etcd, control plane configurations, worker nodes, and policies such as for users, network, and pod security.
What do the benchmark recommendations mean?
The benchmark recommendations have scoring, levels, result status, and responsibilities as follows.
- Scoring
- Scored: The overall benchmark score increases or decreases depending on whether the recommendation is met.
- Not scored: The overall benchmark score is not impacted, whether the recommendation is met.
- Levels
- Level 1: Practical security measures that can be configured without inhibiting the service.
- Level 2: More in-depth security measures that might reduce the performance or functionality of a service.
- Result
- Pass: The service complies with the benchmark recommendation.
- Fail: The service does not comply with the benchmark recommendation by default. Refer to the remediation section for an explanation and possible actions that you can take to comply with the benchmark recommendation.
- Responsibility
- IBM: IBM is responsible for configuring the setting that the benchmark recommends.
- Shared: You and IBM share responsibility for configuring the setting that the benchmark recommends.
What parts of the benchmark am I responsible for?
Because Red Hat OpenShift on IBM Cloud is a managed offering, IBM already configures many security settings for you. For example, IBM manages and automatically applies updates to your cluster master. For your worker nodes, IBM provides security and version updates, but you must apply the updates. You are also responsible for your workload applications and data. For more information, see Your responsibilities while using Red Hat OpenShift on IBM Cloud.
What if some part of the service fails to comply with a recommendation?
First, check the explanation of the failure for any remediation steps.
Then, determine whether the failure is acceptable according to your security requirements. For example, some recommendations might be more in-depth configuration requirements than your particular processes or standards require. Also, some recommendations are not scored, and don't impact the overall benchmark score.
Next, decide whether the component falls within your responsibility. If so, you might need to change how you configure that component. For example, you might configure security context constraints for all your app deployments. For components that are not directly within your responsibility, assess whether you can use another IBM Cloud service to meet the recommendation.
What else can I do to increase the security and compliance of my cluster?
Running the worker node CIS Kubernetes benchmark
To review the results of the CIS Kubernetes benchmark for Section 4: Worker node security configuration, you can run the test yourself. Because you own the worker nodes and are partially responsible for their compliance, you might make configuration changes that you want to validate on your own.
These steps apply to clusters that run Red Hat OpenShift version 4.5 or later only.
Before you begin: Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.
-
Create a project for the resources to run the benchmark.
oc create ns ibm-kube-bench-test
-
Create a ConfigMap with the
config
andnode
configuration files from the kube-samples GitHub repository.- Download the
config
andnode
configuration files into a local directory calledibm
. You can also clone the repository and navigate into theibm
directory. - Create the ConfigMap by using the
--from-file
option to specify theibm
directory where your downloaded the configuration files.oc create cm kube-bench-node -n ibm-kube-bench-test --from-file ibm
- Download the
-
Create a job to run the benchmark test based on the configurations that you previously created.
oc apply -n ibm-kube-bench-test -f https://raw.githubusercontent.com/IBM-Cloud/kube-samples/master/cis-kube-benchmark/cis-1.5/ibm/job-node.yaml
-
Check that the job completed.
oc get pods -n ibm-kube-bench-test -l job-name=kube-bench-node
Example output
NAME READY STATUS RESTARTS AGE kube-bench-node-hlvhc 0/1 Completed 0 23s
-
Review the CIS Kubernetes benchmark results for your worker nodes by checking the pod logs.
oc logs -n ibm-kube-bench-test -l job-name=kube-bench-node --tail=-1
Example output
== Summary == 20 checks PASS 2 checks FAIL 1 checks WARN 0 checks INFO
-
Optional: When you are done reviewing results, delete the resources that you created.
oc delete ns ibm-kube-bench-test