Difficulty: intermediate
Estimated Time: 10 minutes

In this section you will use the open source tool kube-bench to identify insecure Kubernetes settings. You'll also remediate one of the settings to turn a failing test into a pass.

Congratulations, you have remediated a security issue on this node!

Extra information: why should you set AlwaysPullImages?

This setting ensures that when a pod is scheduled to a node, the image is always pulled from the registry even if there is already a locally-cached copy. This ensures that the latest version of that image is going to be used.

Note: This is a good example where the CIS Benchmark is good advice, but it's not the only way to solve a particular security issue. If your YAML files always refer to images by their SHA rather than using a (semantic) tag, you can be sure that they are exactly the version of code that you expect to be running. If you use tags for your images, such as myapp:3.1, there is no way to guarantee that two nodes running with the same image tag are running identical code - the image might have been rebuilt but given the same tag. (This is even more likely if you use the "latest" tag!)

WORK IN PROGRESS - using secure Kubernetes settings

Step 1 of 5

Wait for Kubernetes to be ready

In this scenario you will run kube-bench as a Kubernetes job.

You might need to wait a few moments before the Kubernetes cluster is ready. Run the following command:

watch kubectl get nodes

This can take a minute or two, so please be patient. At first you could see a message about not being able to connect to localhost:8080, and then you'll see the status of the master node.

Wait until the node status is "Ready", and then hit Ctrl+C to quit that command.