Skip to content

Wrapper to run kube-bench at regular intervals and expose results as a prometheus metric

License

Notifications You must be signed in to change notification settings

ibrokethecloud/kube-bench-metrics

Repository files navigation

kube-bench-metrics

kube-bench-metrics is a wrapper to execute aqusecurity/kube-bench.

It parses the results of the scan and exposes the results as prometheus metrics.

These can now be scraped by prometheus with subsequent alerting via Alertmanager.

The helm chart available in the charts directory can be used to quickly get started.

The versionOverride variable in values.yaml needs to be updated to specify the correct version of checks to be run from cfg directory.

The pod by default re-runs the scan and publishes the metrics every hour.

However this can be configured using the --delay argument to the command in the containerSpec available in the packaged helm chart.

USAGE:
   kube-bench-metrics [global options] command [command options] [arguments...]

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --check value, -c value     A comma delimited list of checks to run
   --versionOverride value     Version of checks to run
   --delay value, -d value     Delay in minutes between scheduled runs (default: 60)
   --nodeType value, -n value  Node classification: Possible values are node and master
   --help, -h                  show help

The current versions in cfg are a copy of github.com/rancher/security-scan and are customised for RKE environments.

These can be overriden. I will add support for all upstream kube-bench versions as well.

The inbuilt grafana dashboard can be deployed to quickly generate a simple view of the cluster compliance:

Full Cluster View

Single Node View

To Do:

  • Build automation
  • Test Cases

About

Wrapper to run kube-bench at regular intervals and expose results as a prometheus metric

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •