Introduction
A Kubernetes cluster with default configuration is full of security vulnerabilities. Most of them don’t stem from malice — default settings favour convenience over security. In this article we’ll conduct a systematic cluster audit using the CIS Kubernetes Benchmark and Trivy to find and fix the most common issues.
Tools
| Tool | Purpose |
|---|---|
| kube-bench | Automated CIS Kubernetes Benchmark verification |
| Trivy | Container image and K8s configuration scanning |
| kubectl | Manual configuration verification |
| kubeaudit | K8s resource security audit |
Step 1 — CIS Benchmark with kube-bench
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl wait --for=condition=complete job/kube-bench --timeout=300s
kubectl logs job/kube-bench
Sample output:
== Summary master ==
42 checks PASS
8 checks FAIL
11 checks WARN
Most Common FAILs and How to Fix Them
1.2.1 — Anonymous auth enabled:
# /etc/kubernetes/manifests/kube-apiserver.yaml
- --anonymous-auth=false
4.2.6 — Kubelet without authentication:
# /var/lib/kubelet/config.yaml
authentication:
anonymous:
enabled: false
webhook:
enabled: true
authorization:
mode: Webhook
Step 2 — Image Scanning with Trivy
# Scan an image
trivy image --severity CRITICAL,HIGH nginx:latest
# Scan the entire cluster
trivy k8s --report summary cluster
# Scan manifest files
trivy config ./k8s-manifests/
Sample output:
nginx:latest (debian 12.4)
Total: 23 (CRITICAL: 2, HIGH: 8, MEDIUM: 13)
┌─────────┬──────────────────┬──────────┬─────────┬───────────────┐
│ Library │ Vulnerability │ Severity │ Installed│ Fixed Version │
├─────────┼──────────────────┼──────────┼─────────┼───────────────┤
│ openssl │ CVE-2024-0727 │ CRITICAL │ 3.0.11 │ 3.0.12 │
└─────────┴──────────────────┴──────────┴─────────┴───────────────┘
Step 3 — RBAC Audit
# Who has cluster-admin permissions?
kubectl get clusterrolebindings -o json | \
jq '.items[] | select(.roleRef.name=="cluster-admin") | .subjects'
# Check ServiceAccount permissions
kubectl auth can-i --list --as=system:serviceaccount:default:myapp
Common RBAC Mistakes
# BAD — excessive permissions
roleRef:
name: cluster-admin
# GOOD — principle of least privilege
rules:
- apiGroups: [""]
resources: ["pods", "configmaps"]
verbs: ["get", "list", "watch"]
Step 4 — Network Policies
By default all pods can communicate. Deploy a deny-all policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Results Summary — Sample Report
| Category | Findings | Critical | High |
|---|---|---|---|
| CIS Benchmark | 61 | 3 | 5 |
| Image vulnerabilities | 23 | 2 | 8 |
| Misconfigurations | 12 | 1 | 4 |
| RBAC | 4 | 2 | 2 |
| Total | 100 | 8 | 19 |
Summary
A Kubernetes cluster audit is not a one-time action. We recommend:
- Trivy in CI/CD pipeline — scan every image before deployment
- kube-bench monthly — configuration verification
- Network Policies — deploy right after cluster setup