Skip to content

CIS Benchmark for Kubernetes using Rafay

The Center for Internet Security (CIS) benchmark for Kubernetes consists of secure configuration guidelines especially for Kubernetes infrastructure set-up. These benchmarks encapsulate best practice security recommendations for configuring Kubernetes to support a strong security posture. The CIS Kubernetes Benchmark is written for the open source, upstream Kubernetes distribution and intended to be as universally applicable across distributions as possible.

In this blog, we describe how our customers perform CIS benchmark scans of their fleet of Kubernetes clusters using Rafay.

Background

The Kubernetes CIS Benchmark contains >250 pages describing how to secure Kubernetes infrastructure. The benchmark itself is categorized into several sections as described below.

Control Plane Components

Recommendations for the configuration of the Kubernetes control plane. This includes the API Server, etcd, and Container Network Interface (CNI).

Control Plane Configuration

Recommendations for how the Kubernetes control plane is configured.

Worker Nodes

Recommendations for securing configuration files and defining specific configuration settings for the Kubelet on worker nodes etc.

Policies

Recommendations for specific policies for Kubernetes elements like RBAC, pods and the container network interface (CNI), to improve security.

Important

The CIS benchmark is tied to a specific Kubernetes release.

Validating Compliance

Rafay maintains a dedicated page wrt to CIS compliance for Kubernetes clusters and distributions whose lifecycle is managed by the Rafay Controller.

Several open source and commercial tools are available that automatically verify if Kubernetes clusters are compliant with the controls outlined in the CIS benchmark. These tools will also flag any non-compliant configurations.

Important

Note that these tools cannot test for every permutation for a compliant configuration. So, there is a good chance for "false positives" that need to be factored in.

Based on our experience in the field with organizations doing this with 100s of Kubernetes clusters, we recommend that our customers use the Trivy Operator maintained by Aqua Security as a tool to check for compliance with the CIS benchmark for Kubernetes.

Note

Trivy is a healthy OSS project based on the friendly Apache 2.0 license and has a large number of contributors.

Given the frequency of questions from customers about CIS Benchmark for Kubernetes, we have invested in documenting step-by-step documentation clearly describing how to use the Trivy Operator using Rafay on a fleet of Kubernetes clusters.

Step 1: Cluster Blueprint

The first step is the creation of an organizational baseline that will bring the Trivy Operator as an add-on in a version controlled cluster blueprint. This blueprint can then be used on the entire fleet of Kubernetes clusters spanning the organization.

Note that the use of this cluster blueprint on a cluster guarantees that Trivy is active and enabled on the cluster.

We recommend that our customers do this declaratively right at cluster provisioning time. For example, this can be done in an external pipeline using Rafay's RCTL CLI. The "cluster-spec.yaml" declarative spec will point to the organization's cluster blueprint and will automatically deploy the Trivy Operator as the cluster is provisioned. 

rctl apply -f cluster-spec.yaml

Step 2: Aggregate Results

With 10s or 100s of clusters organization wide, it is critical to have the means to centrally aggregate CIS benchmark reports to demonstrate "compliance" to the auditors. By default, the Trivy operator scans the cluster every 6 hours. Each scan results in an updated cluster compliance report that can be downloaded as described below.

Our customers use Rafay's Zero Trust Kubectl as the means to securely access their fleet of clusters to centrally aggregate the CIS Benchmark reports.

For example, an external pipeline can download the consolidated kubeconfig with all cluster contexts to retrieve the CIS scan results in seconds. See visual below for an illustrative example. 

sequenceDiagram
    participant siem as Splunk
    participant pipe as Pipeline 
    participant rafay as Rafay Controller 
    participant cluster as Cluster Fleet 

    loop Every "x" Hours 
      pipe ->> rafay: Download consolidated kubeconfig 
      loop Every Cluster
        pipe ->> rafay: Retrieve CIS scan report from each cluster <br> using Rafay's zero trust kubectl 
        rafay ->> cluster: Retrieve CIS scan report 
        pipe ->> siem: Store CIS scan report 
      end
    end

We see organizations prefer to aggregate the CIS Benchmark compliance report in the organization's preferred CMDB such as Service Now or enterprise security platform such as Splunk. This ensures that the compliance team has visibility and access to every compliance report right from the birth of each cluster. They can then leverage these reports to demonstrate compliance to their auditors.

The advantage with a tool like Trivy is that users can start with CIS compliance and easily extend to other benchmarks such as NSA compliance etc using the same tool.

About Rafay

Interested in learning more about Rafay?

Sign up here for a free trial and try it out yourself. We have invested heavily on curated Get Started Guides that will help you get familiar with capabilities of Rafay's Kubernetes Operations Platform.

Sincere thanks to readers of our blog who spend time reading our product blogs. Please Contact the Rafay Product Team if you would like us to write about other topics.