☁️ Cloud & container security
kube-bench
Audit your Kubernetes cluster against the CIS Benchmark.
Why use it
kube-bench runs the CIS Kubernetes Benchmark checks against a live cluster and reports pass/fail per item. The fastest way to see how well your cluster is hardened — and the same audit any external assessor will run.
What you get
- CIS Kubernetes Benchmark checks (latest versions)
- Per-component results: master, worker, etcd, controlplane
- JSON, YAML, JUnit output for CI consumption
- Distribution-specific tests (EKS, GKE, AKS, kubeadm, k3s)
System requirements
| Cpu | 1 core |
|---|---|
| Ram | 256 MB |
| Disk | 50 MB |
| Os | Linux |
| Docker | Yes |
Installation
Run as a Kubernetes Job: kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml then kubectl logs job/kube-bench. Standalone binary: download a release and run on each node.
Suggested configuration
Run kube-bench monthly and after upgrades. Track findings over time — fix one or two each iteration rather than trying to remediate everything at once. Most failures fall in three buckets: anonymous-auth, audit-logging, and tighten-RBAC.
Integration ideas
- Push results to Wazuh as compliance events
- Run in GitOps CI on cluster-config PRs
- Combine with Trivy for image + cluster coverage
Alternatives
- kubescape — Broader scope (NSA framework, MITRE ATT&CK).
- Polaris — Workload-focused; complements kube-bench.
Cyentrix verdict
Mandatory for anyone running Kubernetes. Run it before you decide your cluster is "ready".