Does this actually work on cloud clusters or just shit the bed everywhere?

EKS fails 47 checks, AKS fails 39, GKE fails 12. That's not bugs, that's cloud providers treating you like a child who can't be trusted with root access. Spent an entire afternoon debugging `EACCES: permission denied, open '/var/lib/etcd/member/snap/db'` on an EKS v1.24 cluster before my colleague laughed and said "dude, that's AWS managed etcd, you can't touch it." Same error on every EKS version since v1.20.

How often should I torture myself with this thing?

Every time you touch cluster config, and definitely in CI/CD to catch the obvious shit before it explodes in prod. Weekly runs are for compliance theater - daily is just masochism. I run it after any RBAC changes, admission controller updates, or when someone claims they "just made a small security tweak."

Why are there like 47 different benchmark versions?

Because CIS moves slower than a dead turtle. K8s 1.28 might use CIS benchmark 1.7.0 while K8s 1.25 uses 1.6.1. Auto-detection works most of the time, but when you get `unknown test file 1.4.2.yaml` errors, you need to manually specify `--benchmark cis-1.23` because the tool guessed wrong. Spent 30 minutes last month debugging why kube-bench v0.12.0 kept using the 1.6.1 benchmark on our shiny new K8s 1.28 cluster - turns out the version detection logic failed and defaulted to some ancient benchmark.

Can this thing fix anything or just bitch about everything?

Hell no, it just points and laughs at your broken config. You get a remediation guide that basically says "edit this file and restart kubelet." Which is probably for the best - imagine if it automatically disabled anonymous auth and broke your monitoring stack at 2am.

How do I stop this thing from crying wolf constantly?

Edit the test config YAML files in `/opt/kube-bench/cfg` and add `skip: true` to tests that don't apply. First thing I did was skip all etcd tests (1.1.1 through 1.1.20) on EKS because AWS hides that shit. Also skipped 4.2.1 (kubelet config permissions) on GKE because Google's COS puts configs in `/home/kubernetes/kubelet-config.yaml` instead of the expected path.

What output format doesn't make me want to kill myself in CI/CD?

`--json` all the way. Gives you structured data with actual fail counts you can parse with `jq`. Text output is human-readable but useless for scripting. ASFF format is only worth it if you're balls deep in AWS Security Hub and love vendor lock-in.

Will this thing tank my cluster performance?

Nah, it's basically a glorified file reader. Takes 20-30 seconds to run all checks, uses about 50MB of RAM, doesn't touch your workloads. It's not intercepting traffic or doing anything fancy - just reading files and running `ps aux` to check process flags.

How do I hack this thing to check my weird corporate bullshit?

Edit the YAML test files in `/opt/kube-bench/cfg/`. Each test has `commands`, `tests`, and `remediation` sections. I added a custom check for our internal CA requirement by copying an existing test and changing the grep pattern. Pro tip: test your regex on a real cluster first or you'll get mysterious "test failed to execute" errors. ![Kubernetes CNI Plugin Architecture](https://www.simform.com/wp-content/uploads/2023/08/CNI.jpg)

Is this made by the same people who do Trivy?

Yep, Aqua Security makes both. [Trivy](https://trivy.dev/) finds CVEs in your container images, kube-bench finds fuckups in your cluster config. Different problems, different tools. Use both or you're only seeing half the security picture.

Why does this thing need root access to my entire cluster?

It has to read kubelet command line args from `/proc/$PID/cmdline`, config files from `/etc/kubernetes/`, and check file permissions on sensitive directories. `hostPID: true` lets it see processes outside the container, host mounts give it access to the real filesystem. Security teams have panic attacks seeing this YAML, but it's the only way to check actual cluster security.

Do they keep this shit up to date?

They're usually 2-3 months behind K8s releases, and CIS benchmarks lag even further. K8s 1.28 might use tests designed for 1.26. Check the release notes - if you're running bleeding edge K8s, some tests might be outdated or missing entirely. ![Cloud Controller Manager Architecture](https://www.simform.com/wp-content/uploads/2023/08/cloud-controller-manager.jpg)

Why does this motherfucker keep dying with "permission denied"?

Missing `privileged: true` in the securityContext, or your cluster uses non-standard paths. Spent 4 hours debugging `EACCES: permission denied, open '/var/lib/kubelet/config.yaml'` on GKE Autopilot before realizing Google locks down host filesystem access. Also happens when the job runs on nodes that don't have the expected directory structure - looking at you, Fargate.

Currently viewing the AI version

Switch to human version

kube-bench: Kubernetes Security Auditing Tool - AI-Optimized Reference

Overview

kube-bench audits Kubernetes cluster security against CIS (Center for Internet Security) benchmarks. Performs ~100 security checks in 30 seconds to identify configuration vulnerabilities that could lead to cluster compromise.

Critical Security Failures Detected

API Server Vulnerabilities

--anonymous-auth=true (default until K8s v1.6): Allows unauthenticated access
--authorization-mode=AlwaysAllow: Bypasses all authorization checks
Missing --enable-admission-plugins=PodSecurityPolicy: No pod security enforcement
--insecure-bind-address=0.0.0.0: API server accessible without authentication

kubelet Security Issues

Port 10255 exposed (disabled by default v1.10+): Metrics endpoint accessible to anyone
--allow-privileged=true: Permits privileged container execution
--anonymous-auth=true on kubelet: Unauthenticated kubelet access
Config file /var/lib/kubelet/config.yaml with 644 permissions instead of 600

etcd Data Store Vulnerabilities

--client-cert-auth=false: No TLS client authentication required
Data directory /var/lib/etcd with 755 permissions: Readable by all users
Unencrypted peer-to-peer communication: Internal traffic vulnerable to interception

Node-Level Security Gaps

Docker socket /var/run/docker.sock with 666 permissions: Container escape vector
vm.overcommit_memory=1: Memory exhaustion attacks possible
Missing AppArmor/seccomp profiles: No container behavior restrictions

Performance and Resource Requirements

Execution Time: 20-30 seconds for complete audit
Memory Usage: ~50MB RAM
Network Impact: Minimal - primarily file system reads and process inspection
CPU Usage: Low - mostly grep operations and config file parsing

Cloud Platform Compatibility and Limitations

Platform	Failed Checks	Root Cause	Impact
Amazon EKS	47/100	AWS manages master nodes, no etcd access	Cannot verify control plane security
Azure AKS	39/100	Non-standard config paths, Container-Optimized OS	File permission checks fail
Google GKE	12/100	Minor file permission issues	Most comprehensive coverage
GKE Autopilot	78/100	Google locks down all configurations	Heavily restricted environment

Critical EKS Limitation: Error EACCES: permission denied, open '/var/lib/etcd/member/snap/db' occurs because AWS completely hides etcd access from customers.

Installation and Execution Methods

Kubernetes Job Method (Recommended)

apiVersion: batch/v1
kind: Job
metadata:
  name: kube-bench
spec:
  template:
    spec:
      hostPID: true
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      containers:
      - name: kube-bench
        image: aquasec/kube-bench:latest
        command: ["kube-bench"]
        volumeMounts:
        - name: var-lib-etcd
          mountPath: /var/lib/etcd
          readOnly: true
        - name: var-lib-kubelet
          mountPath: /var/lib/kubelet
          readOnly: true
      volumes:
      - name: var-lib-etcd
        hostPath:
          path: "/var/lib/etcd"
      - name: var-lib-kubelet
        hostPath:
          path: "/var/lib/kubelet"

Critical Requirements:

hostPID: true: Required to read process command line arguments from /proc/$PID/cmdline
restartPolicy: Never: Prevents infinite restart loops on failure
Host path mounts: Necessary for accessing real filesystem configurations

Direct Binary Installation

curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.12.0/kube-bench_0.12.0_linux_amd64.tar.gz -o kube-bench.tar.gz
tar xzf kube-bench.tar.gz
sudo mv kube-bench /usr/local/bin/
sudo kube-bench --config-dir /opt/kube-bench/cfg

Common Failure Scenarios and Solutions

Permission Denied Errors

Error: permission denied: cannot access /proc/1234/cmdline
Solution: Run as root - kube-bench requires privileged access to inspect running processes

Error: no such file or directory: /var/lib/etcd
Solution: Use --benchmark eks flag for managed clusters or skip etcd tests

Error: config not found: /etc/kube-bench/cfg
Solution: Path changed in v0.11.0 - use --config-dir /opt/kube-bench/cfg

Cloud-Specific Issues

EKS: 47 failures expected due to AWS hiding master node access
AKS: Use --benchmark aks to handle Azure's non-standard paths
GKE Autopilot: 78% failure rate due to Google's security restrictions

CI/CD Integration Patterns

Intelligent Failure Thresholds

# Don't fail on normal cloud provider limitations
FAILURES=$(kube-bench --json | jq -r '.Totals.total_fail')
if [ "$FAILURES" -gt 15 ]; then
  echo "Too many failures: $FAILURES"
  exit 1
fi

Threshold Guidelines:

0 failures: Unrealistic, builds break constantly
5 failures: Too strict, breaks on normal cloud provider behavior
15 failures: Optimal - catches real problems without false positives

JSON Output Processing

kube-bench --json | jq -r '.Totals.total_fail' | xargs test 0 -eq

Compliance and Audit Requirements

Regulatory Framework Support

SOC 2: Automated security controls documentation
PCI DSS: Infrastructure security validation for payment processing
HIPAA: Healthcare data protection infrastructure compliance
FedRAMP: Government cloud security requirements
NIST: Cybersecurity framework alignment

AWS Security Hub Integration

Use --asff flag for AWS Security Hub integration, but requires additional mapping to compliance frameworks.

Version and Benchmark Compatibility

Current Challenge: Tool typically lags 2-3 months behind Kubernetes releases
CIS Benchmark Versions: Multiple versions exist for different K8s versions
Auto-detection: Works most of the time, manual specification required when detection fails

Manual Override Example:

kube-bench --benchmark cis-1.23  # For K8s 1.28 using older benchmark

Customization and Configuration

Skipping Irrelevant Tests

Edit YAML files in /opt/kube-bench/cfg/ and add skip: true to unnecessary tests:

Skip etcd tests (1.1.1-1.1.20) on EKS/managed clusters
Skip kubelet config tests (4.2.1) on GKE due to non-standard paths

Custom Test Creation

Modify test YAML files with:

commands: System commands to execute
tests: Regex patterns to validate output
remediation: Instructions for fixing failures

Tool Ecosystem Integration

Tool	Purpose	Performance Impact	Integration Complexity
kube-bench	Config audit	30 seconds, 50MB RAM	Low - file system only
kube-hunter	Active penetration testing	45 minutes, can crash clusters	High - requires careful staging
Kubescape	Multi-purpose security scanning	500MB binary, complex config	Very High - 20-page configuration
Falco	Runtime threat detection	Kernel module, 1000+ daily alerts	Extreme - breaks on OS updates
Trivy	Container vulnerability scanning	Varies by image size	Medium - registry integration

Production Deployment Considerations

Resource Planning

Memory: 50MB per execution
CPU: Minimal - primarily I/O bound
Storage: Negligible - tool reads existing files
Network: Low impact - local file system operations

Frequency Recommendations

After configuration changes: Immediate validation
CI/CD pipeline: Every deployment to staging
Scheduled audits: Weekly for compliance
Incident response: On-demand during security events

Multi-cluster Management

Different cloud providers show different failure patterns
Automation required for dozens of clusters
Centralized result collection needed for enterprise scale

Critical Warnings and Limitations

Breaking Changes That Cause Outages

Real Incident: Setting --anonymous-auth=false on kubelet broke Prometheus monitoring that relied on anonymous access to port 10255 for 2 years. 4-hour production monitoring outage resulted.

Cloud Provider Restrictions

AWS EKS: Cannot access etcd, 47 expected failures
Azure AKS: Non-standard file paths cause permission failures
GKE Autopilot: 78% failure rate due to Google's security model

Security Team Concerns

hostPID: true and privileged access requirements cause security team resistance, but tool cannot function without these permissions.

Support and Maintenance

Open Source: Active GitHub community, responsive maintainers
Commercial: Aqua Security offers paid support with SLAs
Updates: Regular releases for new Kubernetes/CIS versions, typically 2-3 month lag
Documentation: Comprehensive GitHub repository with cloud-specific examples

Key Resources

Primary Repository: https://github.com/aquasecurity/kube-bench
CIS Kubernetes Benchmark: Official 300-page compliance specification
Cloud Job Configs: Pre-built YAML for EKS, GKE, AKS in repository
Trivy Integration: Complementary container vulnerability scanning tool

Useful Links for Further Investigation

Links That Don't Suck

Link	Description
kube-bench GitHub	The source of truth. Has job YAML files for every cloud provider, actual bug reports, and release notes. Bookmark this because you'll be back when shit breaks.
CIS Kubernetes Benchmark	The 300-page PDF that makes auditors orgasm. Dry as fuck but contains the actual requirements your cluster needs to meet. Download it before your next audit.
Cloud-specific job configs	Pre-built YAML for EKS (job-eks.yaml), GKE (job-gke.yaml), and ACK (job-ack.yaml) that actually works. Copy these instead of debugging permissions for 6 hours like I did.
Trivy vulnerability scanner	Aqua's other tool that finds CVEs in your images. Run kube-bench for cluster config, Trivy for container vulnerabilities. Two different problems, two different tools.

kube-bench: Kubernetes Security Auditing Tool - AI-Optimized Reference

Overview

Critical Security Failures Detected

API Server Vulnerabilities

kubelet Security Issues

etcd Data Store Vulnerabilities

Node-Level Security Gaps

Performance and Resource Requirements

Cloud Platform Compatibility and Limitations

Installation and Execution Methods

Kubernetes Job Method (Recommended)

Direct Binary Installation

Common Failure Scenarios and Solutions

Permission Denied Errors

Cloud-Specific Issues

CI/CD Integration Patterns

Intelligent Failure Thresholds

JSON Output Processing

Compliance and Audit Requirements

Regulatory Framework Support

AWS Security Hub Integration

Version and Benchmark Compatibility

Customization and Configuration

Skipping Irrelevant Tests

Custom Test Creation

Tool Ecosystem Integration

Production Deployment Considerations

Resource Planning

Frequency Recommendations

Multi-cluster Management

Critical Warnings and Limitations

Breaking Changes That Cause Outages

Cloud Provider Restrictions

Security Team Concerns

Support and Maintenance

Key Resources

Useful Links for Further Investigation

Links That Don't Suck

Related Tools & Recommendations

Migration vers Kubernetes

Kubernetes 替代方案：轻量级 vs 企业级选择指南

Kubernetes - Le Truc que Google a Lâché dans la Nature

Docker for Node.js - The Setup That Doesn't Suck

Complete Guide to Setting Up Microservices with Docker and Kubernetes (2025)

Docker Distribution (Registry) - 본격 컨테이너 이미지 저장소 구축하기

Shopify Polaris - Stop Building the Same Components Over and Over

GitHub Actions - CI/CD That Actually Lives Inside GitHub

GitHub Actions + AWS Lambda: Deploy Shit Without Desktop Boomer Energy

🔧 GitHub Actions vs Jenkins

Jenkins - The CI/CD Server That Won't Die

Jenkins Docker 통합: CI/CD Pipeline 구축 완전 가이드

Jenkins - 日本発のCI/CDオートメーションサーバー

GitLab CI/CD - The Platform That Does Everything (Usually)

Stop Fighting Your CI/CD Tools - Make Them Work Together

Lock Down Your K8s Cluster Before It Costs You $50k

Kubernetes Security Policies Are Blocking Everything - Here's How to Actually Fix It

GKE Security That Actually Stops Attacks

Pod Security Standards - Three Security Levels Instead of Policy Hell

Complete Kubernetes Security Monitoring Stack Setup - Zero to Production