CKS Notes — Kube-bench

With the experience shared by people on the internet, I summarized some key aspects as a series of articles for preparing the CKS exam. Each aspects should be in short concise points, so this is not a detailed tutorial, just some practical reminders.


This content originally appeared on DEV Community and was authored by Cheedge Lee

With the experience shared by people on the internet, I summarized some key aspects as a series of articles for preparing the CKS exam. Each aspects should be in short concise points, so this is not a detailed tutorial, just some practical reminders.

Notice: some concepts are based on my understanding, it may be not accurate or even correct, therefore this is just a handbook when I was preparing the CKS exam.

kube-bench is a tool to check if the k8s cluster fulfilled the CIS security benchmark.

Concepts

Basic Command: 

ssh NODE
kube-bench run --targets TARGETS --check VERSION

params:

1. check --targets:

  1. master

  2. node

  3. controlplane

  4. etcd

  5. policies

2. check CIS version --check

Checking items

1. on master 

kube-bench run --targets master

  1. Apiserver (/etc/kubernetes/manifests/kube-apiserver.yaml)

  2. ControllerManager (/etc/kubernetes/manifests/kube-controller-manager.yaml)

  3. PKI directory (/etc/kubernetes/pki/)

  4. Schedualer (/etc/kubernetes/manifests/kube-scheduler.yaml)

2. on node 

ssh NODE
kube-bench run --targets node

kubelet is considering as node-level component

it mainly checks kubelet related configs:

  1. /var/lib/kubelet/config.yaml

  2. /etc/kubernetes/kubelet.conf

  3. /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

  4. kubelet certificate location

  5. anonymous auth

  6. webhook authz

  7. protecting /var/lib/kubelet/

  8. TLS bootstrapping config

  9. client CA

  10. permissions (644/600)

Notice: need manually restart kubelet

3. etcd check

we only focus on kubeadm cluster ( for cloud, they will not expose etcd, and for external managed etcd cluster, ssh to the node)

kubeadm will assign the etcd to the controlplane node.

ssh CONTROLPLANE_NODE
kube-bench run --targets etcd

/etc/kubernetes/manifests/etcd.yaml

  1. Authentication enabled

    1. --client-cert-auth=true
    2. --peer-client-cert-auth=true

  2. Encryption enabled

    1. --cert-file
    2. --key-file
    3. --peer-cert-file
    4. --peer-key-file

  3. Proper paths

    1. /etc/kubernetes/pki/etcd/

notice: for kubeadm cluster, kubeadm will update the /mainfests and then kubelet will auto restart etcd, there is no need to manually restart it.

Notice:

here we should notice command: kube-bench run --targets node , for kube-bench run --targets master or other targets:

  • master : API server, controller, etc —kubelet watches the manifest files

  • etcd : etcd services — kubelet watches the manifest files

  • policy: kubectl

the kube-apiserver, kube-controller-manager, kube-scheduler, etcd under kubeadm cluster will managed by kubeadm/kubelet , the config file are under /etc/kubernetes/manifests/*

And the policy is control by kubectl, so these we can just follow the recommendations which kube-bench shows.

Component How it runs Config change effect Restart needed?
kube-apiserver Static pod Kubelet watches manifest No (auto restart)
kube-controller-manager Static pod Same No
kube-scheduler Static pod Same No
etcd (kubeadm) Static pod Same No
policies YAML API objects Apply with kubectl No restart
kubelet systemd service Reads config only at startup Yes — manual restart

while for kubelet related configs we need to find the kubelet config file first, and then find the environment file location for fixing.

# find kubelet config file
systemctl status kubelet
# find the env para settings file location
# eg. the kubelet config is: /var/lib/kubelet/config.yaml, then inside it:
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# change the params in the corresponding file.

Do not directly fix the params in the Environment: .

Summary

Benchmark section Contains checks for kube-bench target
Master Node (1.x) API server, controller-manager, PKI, scheduler, etc. master or controlplane
Node (4.x) Kubelet, kubelet config, certificates, permissions node
etcd (3.x) etcd service, certs, ports, flags etcd
Policies (5.x) PodSecurityPolicies (old), security policies policies


This content originally appeared on DEV Community and was authored by Cheedge Lee


Print Share Comment Cite Upload Translate Updates
APA

Cheedge Lee | Sciencx (2025-11-21T10:02:03+00:00) CKS Notes — Kube-bench. Retrieved from https://www.scien.cx/2025/11/21/cks-notes-kube-bench/

MLA
" » CKS Notes — Kube-bench." Cheedge Lee | Sciencx - Friday November 21, 2025, https://www.scien.cx/2025/11/21/cks-notes-kube-bench/
HARVARD
Cheedge Lee | Sciencx Friday November 21, 2025 » CKS Notes — Kube-bench., viewed ,<https://www.scien.cx/2025/11/21/cks-notes-kube-bench/>
VANCOUVER
Cheedge Lee | Sciencx - » CKS Notes — Kube-bench. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/11/21/cks-notes-kube-bench/
CHICAGO
" » CKS Notes — Kube-bench." Cheedge Lee | Sciencx - Accessed . https://www.scien.cx/2025/11/21/cks-notes-kube-bench/
IEEE
" » CKS Notes — Kube-bench." Cheedge Lee | Sciencx [Online]. Available: https://www.scien.cx/2025/11/21/cks-notes-kube-bench/. [Accessed: ]
rf:citation
» CKS Notes — Kube-bench | Cheedge Lee | Sciencx | https://www.scien.cx/2025/11/21/cks-notes-kube-bench/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts