kube-bench — CIS Kubernetes Security Benchmark
Automated checks that verify whether Kubernetes clusters are deployed according to CIS Benchmark security guidelines, scanning master and worker node configurations.
%20by%20%E2%80%9ELisa%20Wischofsky%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22980%22%20height%3D%22980%22%20rx%3D%22490%22%20ry%3D%22490%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22980%22%20height%3D%22980%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(290%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23FFCCB6%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23FED7AA%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3Cpath%20d%3D%22M530%20219a446%20446%200%200%201%20133%2039c20%2011%2040%2023%2057%2039%2010%209%2019%2018%2027%2029%209%2012%2015%2026%2017%2041%202%2018%202%2037-4%2055-2%207-5%2014-10%2020l-2-5c0-21-4-41-12-60l-1%2019v23c0%2015%202%2031%205%2046l13%2070%2012%2075c3%2024%205%2046-1%2069-3%2012-7%2023-14%2033-3%206-7%2010-11%2015l-6%202%201-12c2-16%201-31%200-46l-7%2012c-7%2011-15%2020-24%2028-11%209-22%2017-35%2022l-17%204c-19%205-39%204-59%200-36-7-71-17-107-24l-32-4h-39l-42%203c-7%208-16%2011-26%2014-12%202-25%201-36-4-17-6-30-17-41-31l7%2016c2%202%205%206%204%209-1%202-3%202-5%203-7%203-15%201-21-2-16-7-29-19-39-32a214%20214%200%200%201-40-115l-1%2027c0%2016%203%2032%208%2047%204%2011%209%2020%2012%2031l-4-2-7-12c-12-21-17-48-17-72%200-33%2010-65%2021-96l19-61%2011-44c4-15%209-29%2015-43a196%20196%200%200%201%2098-103c11-5%2021-10%2033-13%2014-4%2028-6%2043-6%205-1%209%200%2013%201%205%201%2010-2%2014-2%2032-7%2065-7%2097-3Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M495%20231a231%20231%200%200%201%20219%20204c1%2010%202%2021%200%2030-1%204-1%207-4%208-3-10-3-19-4-29a220%20220%200%200%200-239-205c-42%204-83%2019-117%2044l-17%2013a221%20221%200%200%200-78%20164c0%2023%207%2043%2015%2064h17c3%201%204%204%202%206l-6%202c-15%201-31%207-42%2017-8%209-14%2019-16%2031-3%2015%200%2032%208%2045%209%2015%2024%2027%2040%2033%2014%205%2029%207%2043%205%204-1%208-2%2011%200v3c-5%205-11%206-18%207-16%203-33-1-47-8a86%2086%200%200%201-47-58c-4-18-1-37%209-53%208-12%2020-21%2034-26-7-14-10-28-12-43-2-18-2-35%200-53%201-13%204-25%208-38a227%20227%200%200%201%2099-122c41-28%2092-43%20142-41Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M535%20244a220%20220%200%200%201%20171%20200c1%2010%201%2019%204%2029l-2%2018v22c-3%204-4%209-4%2014-2%208-2%2015-2%2023v65c0%2021-3%2042-11%2061-4%2013-10%2024-18%2035-10%2012-21%2022-34%2031-11%209-24%2017-37%2024l-22%2014-12%208%209-2c-3%2011-3%2024-4%2036%200%208%201%2016%207%2022a235%20235%200%200%200%2081%2045c6%207%2011%2016%2013%2025%201%209%200%2018-4%2027-6%2010-14%2018-23%2024-13%2010-28%2017-43%2022a417%20417%200%200%201-217%2011c-16-3-33-9-48-17-10-5-21-12-28-21-6-6-10-14-11-22-2-10%200-21%205-30%2021-13%2039-32%2049-54%205-11%207-22%208-34%201-16%200-32-1-47-2-20-3-41-8-61%2011%2012%2023%2024%2037%2032%2017%2011%2036%2020%2055%2026%2020%207%2041%2013%2063%2018l25%203c3%200%206%200%208-2%202-1%201-2%202-3l-17-2c-29-7-58-16-87-27-18-7-36-15-53-27-18-13-33-30-47-47l-11-16-1-1v-3c-3-2-7-1-11%200-14%202-29%200-43-5-16-6-31-18-40-33-8-13-11-30-8-45%202-12%208-22%2016-31%2011-10%2027-16%2042-17l6-2c2-2%201-5-2-6h-17c-8-21-15-41-15-64-1-14%202-27%205-41a221%20221%200%200%201%2073-123l17-13a230%20230%200%200%201%20185-39Z%22%20fill%3D%22%23ffffff%22%2F%3E%3Cpath%20d%3D%22M708%20513c3%203%202%207%203%2012v29c0%2026%202%2054%200%2080-3%2031-14%2063-36%2086-25%2028-57%2051-93%2064l2%207v35c1%206%204%2010%208%2014l26%2019%2032%2020%2024%2012c2%200%203%201%205%203l-19-5c-19-6-37-14-54-25-9-5-19-12-26-20-6-6-7-14-7-22%201-12%201-25%204-36l-9%202%2012-8%2022-14c13-7%2026-15%2037-24%2013-9%2024-19%2034-31a178%20178%200%200%200%2029-96v-65c0-8%200-15%202-23%200-5%201-10%204-14ZM278%20574c5%205%204%2014%200%2019l-3%207c1%203%205%205%207%206%206%203%2012%207%2019%209%200%204-3%205-7%205-6-1-13-3-18-6-7-3-13-8-13-16%200-6%205-9%206-14%202-4%200-7-1-11%204-1%207-2%2010%201ZM328%20667l11%2016c14%2017%2029%2034%2047%2047%2017%2012%2035%2020%2053%2027a714%20714%200%200%200%20104%2029c-1%201%200%202-2%203-2%202-5%202-8%202l-25-3a478%20478%200%200%201-118-44c-14-8-26-20-37-32%205%2020%206%2041%208%2061%201%2015%202%2031%201%2047-1%2012-3%2023-8%2034-10%2022-28%2041-49%2054l-14%208c2-4%206-6%209-9%2013-11%2024-25%2034-39%206-10%2012-21%2014-33%204-19%203-39%203-58l-3-59%202-10c-10-11-19-26-22-41Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M686%20474c5%202%2010%207%2012%2012%203%208%203%2017%201%2025-1%204-4%208-9%208s-9-5-8-10c0-8%203-15%201-23l-5-4c-6%200-12%203-17%205%202%203%204%205%204%208%202%207%201%2014%200%2021-1%208-4%2014-9%2020-3%202-7%206-11%207-5%201-10-1-12-5-4-5-4-11-3-16l-6%208c-1%202-2%203-4%203-1-2%200-6%201-8a95%2095%200%200%201%2044-49c6-3%2014-4%2021-2ZM470%20481c18%206%2035%2017%2046%2033%203%204%206%209%207%2014%201%203%201%205-1%206-3%201-6-3-8-5-3%206-2%2013-6%2018-3%204-7%208-11%2010-6%203-13%203-19%201s-10-8-14-13c-5-10-5-20-4-30%201-8%204-15%209-21-14-5-29-8-42-2-10%204-16%2011-19%2021-1%205%200%2011-3%2015-3%203-9%203-12%200s-4-7-3-11c1-12%207-22%2016-30%206-4%2012-7%2019-9%2015-4%2031-3%2045%203Z%22%20fill%3D%22%23000000%22%2F%3E%3Cg%20fill%3D%22%23000000%22%3E%3Cpath%20d%3D%22M675%20381c5%200%208%204%209%208-11%203-23%208-34%2013l-16%208c-7%204-14%207-22%209-5%201-9%200-13%203l-7%208c-3%203-4%207-6%2012-1-1-3-2-3-4-2-5%200-11%202-16%202-6%203-12%208-17%203-4%205-8%209-10%204-3%2010-4%2014%200l1%206%2025-14c11-4%2021-8%2033-6ZM481%20383c14%202%2032%201%2044%207%209%204%2013%2011%2018%2019l-1%204c-4%203-9%204-14%202-4-2-6-6-9-8-2-2-5-2-8-3l-25-2c-12-1-24-6-36-7l-27-5-5-2c9-3%2019-4%2029-5%2011%200%2023-2%2034%200Z%22%2F%3E%3Cpath%20d%3D%22M540%20387c6-2%2012-2%2016%202%206%203%209%209%2011%2015%200-4%202-9%205-12%206%203%2011%209%2013%2015%201%205%202%2010%200%2015s-9%208-13%205c-4-4-4-12-5-18-1%204-2%208-5%2010s-7%201-9-2l-5-12-7-15-1-3Z%22%2F%3E%3C%2Fg%3E%3Cpath%20d%3D%22M607%20606c0%203-2%206-4%209-4%206-11%2010-18%2012-5%201-9-2-13%200-4%200-8%201-12-1-2-1-2-4%200-6%203-4%208-7%2012-7%204-1%207-1%2010%202l1%207c5-2%207-5%2011-8l13-8Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M608%20667c2%200%204%200%205%202l-1%2015c5-1%2010-4%2016-2%200%204-4%207-7%209l-35%2012c-17%204-34%207-51%208-7%201-15-1-22-3-2-1-4-1-4-4%204-2%209%200%2012-1%202-5%207-7%2011-10l31-19c3-1%207-4%2010-4%204-1%207%204%2011%204%208-2%2016-7%2024-7ZM607%20712c1%204%201%208-1%2011-2%205-7%209-12%2011-6%202-12%203-18%202-2%200-6-2-6-5%201-2%205-2%207-3%208-4%2018-7%2025-13%202-1%203-3%205-3Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M492%20216c35%200%2070%207%20103%2017%2023%206%2045%2014%2066%2024%2023%2012%2045%2025%2063%2044%2015%2013%2027%2028%2035%2046%203%208%205%2017%206%2026%201%2013%200%2026-2%2039-2%2010-6%2022-13%2030l-2-6c0-20-5-40-12-59%201%2019-3%2040-15%2055-4%204-8%205-12%207s-9%202-13%202c-7-1-15-4-22-7-2-2-5-3-6-6-4-13-5-27-9-40l-6-17c-2%2010-4%2019-8%2028-3%2011-8%2021-15%2030l-8%207-3-14-4-17c-5-21-14-42-26-61v29c-2%2016-3%2031-10%2045-3%207-4%2014-10%2018-8%204-18%205-27%205-13%200-28%202-41-1-6-2-8-7-11-12l-14-31-11-20c-2%2022-2%2043-1%2064-1%202%200%204-2%205-1%202-3%201-5%200-9-4-16-11-23-18-9-12-19-24-25-37l2%2017c3%2012%207%2024%2012%2035l2%208-5-2c-7-5-12-12-17-19-7-12-11-27-12-41-5%2019-7%2039-8%2059l-2%2010c-1%203-3%204-6%205l-33%205h-11a670%20670%200%200%200%2013%20152l15%2061c1%203%200%205-2%207-15-8-26-23-36-38v63l-3%206a245%20245%200%200%201-64-94l-6-16a397%20397%200%200%201-27-151c1-40%209-80%2026-116a217%20217%200%200%201%2076-91l31-17c11-4%2022-9%2034-10%2010-1%2021-3%2031%200%204%201%208-1%2012-2%2020-4%2041-6%2061-6Z%22%20fill%3D%22%23000000%22%2F%3E%3C%2Fg%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E){kind=small}
What it is
kube-bench is a Go application by Aqua Security that checks whether Kubernetes clusters are deployed according to CIS Benchmark security guidelines. It scans master and worker node configurations, verifying settings like API server flags, kubelet parameters, and etcd encryption. Results are categorized as PASS, FAIL, WARN, or INFO.
kube-bench targets cluster administrators and security teams who need automated compliance checks against the CIS Kubernetes Benchmark.
How it saves time or tokens
kube-bench automates hundreds of manual security checks that would take hours to perform by hand. Each check includes a rationale and remediation command, so you fix issues without researching each CIS control separately.
How to use
- Run as a Kubernetes Job:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job.batch/kube-bench- Or run directly on a node:
kube-bench run --targets master
kube-bench run --targets node- Review the PASS/FAIL/WARN output and apply remediations.
Example
# Run as Kubernetes Job
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
# View results
kubectl logs job.batch/kube-bench
# Run on a specific node
kube-bench run --targets master
# Output as JSON for CI integration
kube-bench run --json
# Run specific CIS section
kube-bench run --targets master --check 1.2Related on TokRepo
- AI Tools for Security — Security scanning and compliance tools
- AI Tools for DevOps — Kubernetes and infrastructure tools
Key considerations
When evaluating kube-bench for your workflow, consider the following factors. First, assess whether your team has the technical prerequisites to adopt this tool effectively. Second, evaluate the maintenance burden against the productivity gains. Third, check community activity and documentation quality to ensure long-term viability. Integration with your existing toolchain matters more than feature count alone. Start with a small pilot project before rolling out across the organization. Monitor resource usage during the initial adoption phase to identify bottlenecks early. Document your configuration decisions so team members can onboard independently.
Common pitfalls
- kube-bench must run on cluster nodes (or with access to node configs) to check kubelet and etcd settings; running from outside the cluster provides limited results.
- Managed Kubernetes (EKS, GKE, AKS) restricts access to master node configurations; some CIS checks cannot run on managed clusters.
- WARN results are not failures but indicate checks that could not be automatically evaluated; review them manually.
Frequently Asked Questions
The CIS Benchmark is a set of security best practices published by the Center for Internet Security. It defines specific configuration checks for Kubernetes components including API server, controller manager, scheduler, kubelet, and etcd.
Partially. kube-bench can check worker node and pod security configurations on managed clusters. Master node checks are limited because cloud providers manage the control plane. EKS, GKE, and AKS have specific benchmark profiles.
Each failed check includes a remediation description with the specific flag or configuration change needed. Apply the change to the relevant Kubernetes component configuration and restart the service.
Yes. kube-bench automatically detects the Kubernetes version and runs the appropriate CIS Benchmark. You can also specify a version explicitly with the --version flag.
Yes. Run kube-bench with --json output and parse results programmatically. Many teams run kube-bench as a periodic Job or after cluster provisioning to ensure ongoing compliance.
Citations (3)
- kube-bench GitHub— CIS Benchmark checks for Kubernetes by Aqua Security
- kube-bench README— Scans master and worker node configurations
- CIS Benchmarks— CIS Kubernetes Benchmark specification
Related on TokRepo
Discussion
Related Assets
Conda — Cross-Platform Package and Environment Manager
Install, update, and manage packages and isolated environments for Python, R, C/C++, and hundreds of other languages from a single tool.
Sphinx — Python Documentation Generator
Generate professional documentation from reStructuredText and Markdown with cross-references, API autodoc, and multiple output formats.
Neutralinojs — Lightweight Cross-Platform Desktop Apps
Build desktop applications with HTML, CSS, and JavaScript using a tiny native runtime instead of bundling Chromium.