K8s Operators— CIS Kubernetes Benchmarks

Without a further ado, let’s dive in!

  • Part A: CIS-Benchmarks — Theory
  • Part B: CIS-Operator Fire & Customize

Please feel free to jump into the section that has higher impact to you!

Part A: CIS Benchmarks — Theory

A.1. What Security Value does CIS-Benchmark offer?

A.2. Kubernetes security Projects & Challenges

Kube-Bench

Kube-Hunter

Challenges

Part B: CIS-Operator Fire & Customize

B.1. Architecture

CIS-Operator Architecture/Components
  • Schedule security scans with permissive/hardened profiles,
  • Raise alerts and generates reports on the scans,
  • Flexibility in managing custom global rules,
  • Support for SAML/OpenLDAP integration and RBAC rules for basic access control (View and Admin modes only),
  • One of the main advantages is its integration with OPA OpenPolicyAgent Gatekeeper, which we discussed in a previous blog post.
  • A feature-rich dashboard that provides instant and deep insights into the identified vulnerabilities.

B.2. Deploy the CIS-Benchmark Operator

helm repo add rancher https://charts.rancher.io
helm repo update
helm upgrade --install rancher-cis-benchmark-crd \
rancher/rancher-cis-benchmark-crd \
--create-namespace -n cis-operator-system
helm upgrade --install rancher-cis-benchmark \
rancher/rancher-cis-benchmark \
-n cis-operator-system
kubectl get crd | grep cis.cattle.io
kubectl get all -n cis-operator-system
kubectl get clusterscanprofiles
kubectl get clusterscanbenchmarks

B.3. Scan & Customize

apiVersion: cis.cattle.io/v1
kind: ClusterScan
metadata:
name: generic-permissive-cluster-scan
spec:
scheduledScanConfig:
cronSchedule: "1 0 */14 * *"
kubectl apply -f cluster-scan.yaml
kubectl get clusterscans
kubectl get clusterscanreports

Conclusion

No one will be able to withstand high-security threats and impact. Better be proactive!

Is a Cloud-Native enthusiast with 12 plus years of experience. He’s continuously immersing himself in the latest technology trends & projects.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Top 10 Flutter Companies in 2019

GSoC’20 — Coding phase | Week 13

Step by Step to deploy a Wordpress site on Google cloud

Day 121 — Implementing Death Animations for the Player and Enemies

Introduction to Command line, Git and GitHub.

Ease of Building UI Elements in Unity through a Score System — Part 01

What is isomorƒ?

Discover The Recent features that have been added to PHP 7.2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aymen Abdelwahed

Aymen Abdelwahed

Is a Cloud-Native enthusiast with 12 plus years of experience. He’s continuously immersing himself in the latest technology trends & projects.

Application Logs using Grafana Loki on GKE

Using Kyverno policies with ArgoCD

Using Argo CD with vclusters

Install the Kubernetes Dashboard UI