kube-bench
What is kube-bench?
kube-benchAn open-source tool from Aqua Security that automatically checks a Kubernetes cluster's configuration against the CIS Kubernetes Benchmark.
kube-bench is a Go-based, open-source scanner maintained by Aqua Security that evaluates how closely a Kubernetes cluster aligns with the CIS Kubernetes Benchmark. It inspects component flags, file permissions, audit settings, and TLS configuration on the control plane, etcd, kubelet, and worker nodes, then reports PASS/FAIL/WARN/INFO per control. Distinct profiles exist for kubeadm, GKE, EKS, AKS, OpenShift, and Tanzu, with versioned tests tracking benchmark updates. kube-bench is typically run as a privileged Kubernetes Job on each node and integrated into CI/CD or scheduled pipelines. It is widely used as a baseline hardening check, often complemented by tools like Kubescape, Trivy, and policy-as-code admission controllers.
● Examples
- 01
Running kube-bench --benchmark eks-1.5.0 to audit an EKS cluster after upgrade.
- 02
Failing a CI pipeline if any kube-bench FAIL items are introduced by a Helm change.
● Frequently asked questions
What is kube-bench?
An open-source tool from Aqua Security that automatically checks a Kubernetes cluster's configuration against the CIS Kubernetes Benchmark. It belongs to the Cloud Security category of cybersecurity.
What does kube-bench mean?
An open-source tool from Aqua Security that automatically checks a Kubernetes cluster's configuration against the CIS Kubernetes Benchmark.
How does kube-bench work?
kube-bench is a Go-based, open-source scanner maintained by Aqua Security that evaluates how closely a Kubernetes cluster aligns with the CIS Kubernetes Benchmark. It inspects component flags, file permissions, audit settings, and TLS configuration on the control plane, etcd, kubelet, and worker nodes, then reports PASS/FAIL/WARN/INFO per control. Distinct profiles exist for kubeadm, GKE, EKS, AKS, OpenShift, and Tanzu, with versioned tests tracking benchmark updates. kube-bench is typically run as a privileged Kubernetes Job on each node and integrated into CI/CD or scheduled pipelines. It is widely used as a baseline hardening check, often complemented by tools like Kubescape, Trivy, and policy-as-code admission controllers.
How do you defend against kube-bench?
Defences for kube-bench typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for kube-bench?
Common alternative names include: CIS Kubernetes Benchmark scanner.
● Related terms
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- cloud-security№ 601
Kubescape
An open-source Kubernetes security platform from ARMO that scans clusters, manifests, and images for misconfigurations, vulnerabilities, and policy drift.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
- cloud-security№ 170
Cilium
An eBPF-based Container Network Interface that provides networking, observability, and security for Kubernetes workloads at kernel speed.
- cloud-security№ 213
Container Security
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
● See also
- № 1012Service Account Token