AccuKnox CIS K8s Job

Instruction to perform CIS Benchmark on Cluster via AccuKnox CIS K8s Job

Prerequisites:

Docker
Helm (v3.13.1 or later)

Parameters:

Variable	Sample Value	Description
accuknox.url	cspm.demo.accuknox.com	AccuKnox CSPM Endpoint URL
accuknox.tenantId	2	AccuKnox Tenant ID
accuknox.label	CIS	AccuKnox Label
accuknox.authToken	$token	AccuKnox Token
accuknox.clusterName	$clusterName	Cluster Name
accuknox.cronTab	30 9 * * *	CronJob (UTC)
toolConfig.platform	"GKE" OR "AKS"	Name of the platform. Default: empty
toolConfig.nodeType	master OR controlplane	For node selection
toolConfig.targets	"master,controlplane,node"	Ref
toolConfig.benchmark	"gke-1.6.0"	Ref
toolConfig.check	"1.1.1,1.2.3"	Control IDs to check
toolConfig.skip	"1.1.1,1.3.1"	Control IDs to skip

Schedule CIS Job on cluster

Clone GitHub and switch to CIS K8s Job folder

git clone https://github.com/accuknox/accuknox-jobs.git && cd accuknox-jobs/cis-k8s-job

Helm Command to deploy AccuKnox CIS K8s Job locally:

helm upgrade --install accuknox-cis-k8s . \
    --set accuknox.url="cspm.demo.accuknox.com" \
    --set accuknox.tenantId="$tenantId" \
    --set accuknox.label="$label" \
    --set accuknox.authToken="$token" \
    --set accuknox.clusterName="$clusterName" \
    --set accuknox.cronTab="30 9 * * *"

Note:

You can get AccuKnox Token & Tenant ID from AccuKnox SaaS under navigation Settings > Tokens
You can get AccuKnox Label from AccuKNox SaaS under navigation Settings > Labels

Manual Procedure

Instruction to perform CIS Benchmark manually using kube-bench binary

Prerequisites:

Kube-Bench
jq
Cluster Context

Steps to follow:

Getting output file as results.json on current-context of selected cluster

kube-bench run --config-dir ~/test/KubeBench/cfg/ --json --outputfile results.json

Make sure you provide correct --config-dir.

Adding Metadata to above output file

cat <<<$(jq '. += {
    "Metadata": {
        "cluster_name":"$cluster",
        "label_name":"$label"}}
    ' results.json) >results.json

Replace value of $cluster with cluster name & $label with AccuKnox Label

Sending output file to AccuKnox SaaS

curl --location --request POST 'https://cspm.demo.accuknox.com/api/v1/artifact/?tenant_id=$tenantId&data_type=KB&save_to_s3=true' --header 'Tenant-Id: $tenantId' --header "Authorization: Bearer $token" --form 'file=@"./results.json"'

Replace value of $tenantId from AccuKnox Tenant ID & $token from AccuKnox Token

You should be able to see a successful message as {"detail":"File received successfully"}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

AccuKnox CIS K8s Job

Prerequisites:

Parameters:

Schedule CIS Job on cluster

Clone GitHub and switch to CIS K8s Job folder

Helm Command to deploy AccuKnox CIS K8s Job locally:

Note:

Manual Procedure

Prerequisites:

Steps to follow:

Files

README.md

Latest commit

History

README.md

File metadata and controls

AccuKnox CIS K8s Job

Prerequisites:

Parameters:

Schedule CIS Job on cluster

Clone GitHub and switch to CIS K8s Job folder

Helm Command to deploy AccuKnox CIS K8s Job locally:

Note:

Manual Procedure

Prerequisites:

Steps to follow: