Stats
Actions
Tags
Runs kube-bench to audit Kubernetes clusters against CIS Benchmark, checking control plane, worker nodes, etcd, RBAC, and policies for security compliance.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-kubernetes-cis-benchmark-with-kube-benchThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
kube-bench 是 Aqua Security 开源的 Go 工具,用于运行 CIS Kubernetes Benchmark 检查。它对照安全最佳实践验证控制平面、etcd、工作节点和策略配置,生成可操作的通过/失败/警告报告。
kube-bench 是 Aqua Security 开源的 Go 工具,用于运行 CIS Kubernetes Benchmark 检查。它对照安全最佳实践验证控制平面、etcd、工作节点和策略配置,生成可操作的通过/失败/警告报告。
# 二进制安装
curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.7.3/kube-bench_0.7.3_linux_amd64.tar.gz | tar xz
sudo mv kube-bench /usr/local/bin/
# 以 Kubernetes Job 方式运行
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job/kube-bench
# 以具有宿主机访问权限的 Pod 运行
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-master.yaml
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-node.yaml
# 运行所有检查(自动检测节点类型)
kube-bench run
# 以 JSON 格式输出
kube-bench run --json > kube-bench-results.json
# 以 JUnit 格式输出用于 CI
kube-bench run --junit > kube-bench-results.xml
# 控制平面(master)检查
kube-bench run --targets master
# 工作节点检查
kube-bench run --targets node
# etcd 检查
kube-bench run --targets etcd
# 策略检查
kube-bench run --targets policies
# 控制平面 + etcd
kube-bench run --targets master,etcd
# Amazon EKS
kube-bench run --benchmark eks-1.2.0
# Google GKE
kube-bench run --benchmark gke-1.4.0
# Azure AKS
kube-bench run --benchmark aks-1.0
# Red Hat OpenShift
kube-bench run --benchmark rh-1.0
# 仅显示失败项
kube-bench run --targets master | grep "\[FAIL\]"
# 运行特定检查
kube-bench run --check 1.2.1
# 运行检查组
kube-bench run --group 1.2
| 章节 | 组件 | 关键检查项 |
|---|---|---|
| 1.1 | 控制平面 - API Server | 匿名认证、RBAC、审计日志 |
| 1.2 | 控制平面 - API Server | 准入控制器、加密 |
| 1.3 | 控制平面 - Controller Manager | 服务账户令牌、绑定地址 |
| 1.4 | 控制平面 - Scheduler | 性能分析、绑定地址 |
| 2.1 | etcd | 客户端证书认证、对等加密 |
| 3.1 | 控制平面 - 认证 | OIDC、客户端证书 |
| 4.1 | 工作节点 - kubelet | 匿名认证、授权 |
| 4.2 | 工作节点 - kubelet | TLS、只读端口 |
| 5.1 | 策略 - RBAC | cluster-admin 使用、服务账户 |
| 5.2 | 策略 - Pod 安全 | 特权、宿主机命名空间 |
| 5.3 | 策略 - 网络 | 每命名空间的网络策略 |
| 5.7 | 策略 - 通用 | 密钥、安全上下文 |
[INFO] 1 控制平面安全配置
[INFO] 1.1 控制平面节点配置文件
[PASS] 1.1.1 确保 API server Pod 规格文件权限设置为 600
[PASS] 1.1.2 确保 API server Pod 规格文件所有权设置为 root:root
[FAIL] 1.1.3 确保 controller manager Pod 规格文件权限设置为 600
[WARN] 1.1.4 确保 scheduler Pod 规格文件权限设置为 600
== 汇总 ==
45 项检查通过
12 项检查失败
8 项检查警告
0 项检查信息
name: CIS Benchmark
on:
schedule:
- cron: '0 6 * * 1'
jobs:
kube-bench:
runs-on: ubuntu-latest
steps:
- name: 配置 kubectl
uses: azure/setup-kubectl@v3
- name: 运行 kube-bench
run: |
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl wait --for=condition=complete job/kube-bench --timeout=120s
kubectl logs job/kube-bench > kube-bench-report.txt
- name: 检查失败项
run: |
FAILS=$(grep -c "\[FAIL\]" kube-bench-report.txt || true)
echo "Failed checks: $FAILS"
if [ "$FAILS" -gt 0 ]; then
echo "::warning::$FAILS CIS benchmark checks failed"
fi
- name: 上传报告
uses: actions/upload-artifact@v4
with:
name: kube-bench-report
path: kube-bench-report.txt
# /etc/kubernetes/manifests/kube-apiserver.yaml
spec:
containers:
- command:
- kube-apiserver
- --anonymous-auth=false
# /var/lib/kubelet/config.yaml
authentication:
anonymous:
enabled: false
webhook:
enabled: true
# 查找具有通配符权限的角色
kubectl get clusterroles -o json | jq '.items[] | select(.rules[].resources[] == "*") | .metadata.name'
npx claudepluginhub killvxk/cybersecurity-skills-zhAudits Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control plane, worker nodes, and RBAC.
Audits Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control plane, worker nodes, and RBAC.
Audits Kubernetes clusters against CIS benchmarks using kube-bench, checking control plane, etcd, worker nodes, policies, and RBAC for security compliance.