Skip to content

CISKubeBenchReport

The CISKubeBenchReport is a cluster scoped resource owned by a Kubernetes node, which represents the latest result of running CIS Kubernetes Benchmark tests on that node. It's named after a corresponding node.

The following listing shows a sample CISKubeBenchReport associated with the kind-control-plane node.

apiVersion: aquasecurity.github.io/v1alpha1
kind: CISKubeBenchReport
metadata:
  name: kind-control-plane
  labels:
    trivy-operator.resource.kind: Node
    trivy-operator.resource.name: kind-control-plane
  uid: 4aec0c8e-c98d-4b53-8727-1e22cacdb772
  ownerReferences:
    - apiVersion: v1
      blockOwnerDeletion: false
      controller: true
      kind: Node
      name: kind-control-plane
      uid: 6941ddfd-65be-4960-8cda-a4d11e53cbe9
report:
  updateTimestamp: '2021-05-20T11:53:58Z'
  scanner:
    name: kube-bench
    vendor: Aqua Security
    version: 0.5.0
  sections:
    - id: '1'
      node_type: master
      tests:
        - desc: Master Node Configuration Files
          fail: 1
          info: 0
          pass: 18
          results:
            - remediation: >
                Run the below command (based on the file location on your
                system) on the

                master node.

                For example, chmod 644
                /etc/kubernetes/manifests/kube-apiserver.yaml
              scored: true
              status: PASS
              test_desc: >-
                Ensure that the API server pod specification file permissions
                are set to 644 or more restrictive (Automated)
              test_number: 1.1.1
            - remediation: >
                Run the below command (based on the file location on your
                system) on the master node.

                For example,

                chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml
              scored: true
              status: PASS
              test_desc: >-
                Ensure that the API server pod specification file ownership is
                set to root:root (Automated)
              test_number: 1.1.2
          section: '1.1'
          warn: 2
      text: Master Node Security Configuration
      total_fail: 10
      total_info: 0
      total_pass: 45
      total_warn: 10
      version: '1.6'
  summary:
    failCount: 11
    infoCount: 0
    passCount: 71
    warnCount: 40

Note

We do not anticipate many (at all) kube-bench alike tools, hence the schema of this report is currently the same as the output of kube-bench.