Difficulty: intermediate
Estimated Time: 10 minutes

In this section you will use the open source tool kube-bench to identify insecure Kubernetes settings. You'll also remediate one of the settings to turn a failing test into a pass.

Congratulations, you have remediated a security issue on this node!

Extra information: why should you set AlwaysPullImages?

This setting ensures that when a pod is scheduled to a node, the image is always pulled from the registry even if there is already a locally-cached copy. This ensures that the latest version of that image is going to be used.

Note: This is a good example where the CIS Benchmark is good advice, but it's not the only way to solve a particular security issue. If your YAML files always refer to images by their SHA rather than using a (semantic) tag, you can be sure that they are exactly the version of code that you expect to be running. If you use tags for your images, such as myapp:3.1, there is no way to guarantee that two nodes running with the same image tag are running identical code - the image might have been rebuilt but given the same tag. (This is even more likely if you use the "latest" tag!)

WORK IN PROGRESS - using secure Kubernetes settings

Step 1 of 5

Wait for Kubernetes to be ready

In this scenario you will run kube-bench as a Kubernetes job.

You might need to wait a few moments before the Kubernetes cluster is ready. Run the following command:

watch kubectl get nodes

This can take a minute or two, so please be patient. At first you could see a message about not being able to connect to localhost:8080, and then you'll see the status of the master node.

Wait until the node status is "Ready", and then hit Ctrl+C to quit that command.

This tab will not be visible to users and provides only information to help authors when creating content.

Creating Katacoda Scenarios

Thanks for creating Katacoda scenarios. This tab is designed to help you as an author have quick access the information you need when creating scenarios.

Here are some useful links to get you started.

Running Katacoda Workshops

If you are planning to use Katacoda for workshops, please contact [email protected] to arrange capacity.

Debugging Scenarios

Below is the response from any background scripts run or files uploaded. This stream can aid debugging scenarios.

If you still need assistance, please contact [email protected]tacoda.com