kube-bench is an open-source tool by Aqua Security that checks whether Kubernetes clusters are deployed according to the CIS Kubernetes Benchmark. It automates compliance validation for control plane, worker node, etcd, and policy configurations across 12+ Kubernetes distributions. 7.9k GitHub stars, 1.3k forks.
What is kube-bench?
kube-bench is a Go-based CLI tool that automates CIS Kubernetes Benchmark compliance checks. The CIS Kubernetes Benchmark is an industry-standard set of recommendations for configuring Kubernetes securely. kube-bench runs through each CIS recommendation, tests the cluster configuration, and reports what passes, what fails, and how to fix the failures.
The tool covers five areas from the CIS Benchmark: control plane components (API server, controller manager, scheduler), etcd, control plane configuration, worker nodes, and Kubernetes policies. Each check maps directly to a numbered CIS recommendation with a pass, fail, or warning result.
What Kubernetes distributions does kube-bench support?
kube-bench auto-detects the Kubernetes version and selects the correct benchmark. It supports 12+ CIS Benchmark versions for vanilla Kubernetes (1.15 through 1.34) and distribution-specific benchmarks for managed and specialized platforms:
| Platform | Benchmark versions |
|---|---|
| Kubernetes | CIS 1.5.1, 1.6.0, 1.20, 1.23, 1.24, 1.7, 1.8, 1.9, 1.10, 1.11, 1.12 |
| Amazon EKS | CIS 1.0.1, 1.1.0, 1.2.0, 1.5.0 |
| Google GKE | CIS 1.0.0, 1.2.0, 1.6.0 |
| Azure AKS | CIS 1.0.0, 1.7.0 |
| Alibaba ACK | CIS 1.0.0 |
| Red Hat OpenShift | CIS OCP 3.10–3.11, OCP4 1.1.0+ |
| k3s | CIS 1.6, 1.7, 1.24, 1.25 |
| RKE / RKE2 | Multiple versions |
For managed services like EKS, GKE, and AKS, kube-bench skips control plane checks since those nodes are not accessible — it focuses on worker node and policy configurations instead.
How does kube-bench work?
kube-bench uses YAML-based test definitions where each CIS recommendation maps to a file specifying what command to run, what output to expect, and the remediation steps if the check fails. This YAML-driven approach makes it straightforward to customize checks or add organization-specific policies on top of the CIS baseline.
kube-bench can run three ways:
- Kubernetes Job — the recommended approach for most clusters. Deploy a Job that runs kube-bench against the node it lands on, then collect results from the pod logs.
- DaemonSet — runs kube-bench on every node in the cluster. Useful when you need compliance results for all nodes at once.
- Standalone binary — run directly on a host. Useful for local testing or environments where deploying into the cluster is not an option.
Output goes to stdout by default. Use --json for machine-readable output that integrates with CI/CD pipelines, SIEM systems, or compliance dashboards.
Who should use kube-bench?
kube-bench is designed for platform teams and security engineers who need to validate CIS Benchmark compliance across Kubernetes clusters. It fits compliance workflows where CIS adherence is a requirement: audit preparation, regulatory checks, or internal security baselines.
Organizations subject to PCI DSS, HIPAA, or SOC 2 often use CIS Kubernetes Benchmark results as evidence of cluster hardening.
If CIS compliance checking is all you need, kube-bench does it with minimal overhead. For broader Kubernetes security coverage (image scanning, runtime detection, multiple compliance frameworks), look at Kubescape or Falco for runtime monitoring.
What are kube-bench’s limitations?
kube-bench only checks configuration against CIS benchmarks. It does not scan container images, monitor runtime behavior, or detect active threats.
Results are point-in-time snapshots, so run it periodically or integrate it into CI/CD to catch configuration drift.
On managed Kubernetes services (EKS, GKE, AKS), some CIS checks do not apply because the cloud provider manages the control plane — kube-bench automatically skips those checks.
