Kubernetes Compliance Mod

Run individual controls or full compliance benchmarks for NSA and CISA Kubernetes Hardening Guidance and CIS across all of your Kubernetes clusters.

References

Kubernetes also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

NSA & CISA Cybersecurity Technical Report describes the complexities of securely managing Kubernetes an open-source, container-orchestration system used to automate deploying, scaling, and managing containerized applications.

CIS Kubernetes Benchmarks provide a predefined set of compliance and security best-practice checks for Kubernetes clusters.

Steampipe is an open source CLI to instantly query cloud APIs using SQL.

Steampipe Mods are collections of named queries, and codified controls that can be used to test current configuration of your cloud resources against a desired configuration.

Documentation

• Benchmarks and controls →
• Named queries →

Getting started

Installation

Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install steampipe

Install the Kubernetes plugin with Steampipe:

steampipe plugin install kubernetes

Clone:

git clone https://github.com/turbot/steampipe-mod-kubernetes-compliance.git
cd steampipe-mod-kubernetes-compliance

Usage

Start your dashboard server to get started:

steampipe dashboard

By default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the steampipe check command:

Run all benchmarks:

steampipe check all

Run an single benchmark:

steampipe check benchmark.nsa_cisa_v1_network_hardening_cpu_limit

Run a specific control:

steampipe check control.daemonset_cpu_limit

Different output formats are also available, for more information please see Output Formats.

Credentials

This mod uses the credentials configured in the Steampipe Kubernetes plugin.

Configuration

No extra configuration is required.

Common and Tag Dimensions

The benchmark queries use common properties (like connection_name, context_name, namespace, path and source_type) and tags are defined in the form of a default list of strings in the mod.sp file. These properties can be overwritten in several ways:

• Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file

• Pass in a value on the command line:

  steampipe check benchmark.cis_kube_v120 --var 'common_dimensions=["connection_name", "context_name", "namespace", "path", "source_type"]'

  steampipe check benchmark.cis_kube_v120 --var 'tag_dimensions=["Environment", "Owner"]'

• Set an environment variable:

  SP_VAR_common_dimensions='["connection_name", "context_name", "namespace", "path", "source_type"]' steampipe check control.cis_kube_v120_v100_5_2_1

  SP_VAR_tag_dimensions='["Environment", "Owner"]' steampipe check control.cis_kube_v120_v100_5_2_1

Contributing

If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.

• Join our Slack community → and hang out with other Mod developers.

Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.

Want to help but not sure where to start? Pick up one of the help wanted issues:

• Steampipe
• Kubernetes Compliance Mod