Nirmata CIS Adapter

The Nirmata CIS adapter periodically runs a CIS-benchmark check using cron-job with a tool called kube-bench and produces a cluster-wide policy report, based on the Policy Report - Custom Resource Definition.

The Nirmata CIS Adapter is available as a Helm chart that can be installed on a Kubernetes cluster.

Prerequisites

Installing the Nirmata CIS Adapter Helm chart

Adding the Kyverno Helm repository

The following commands add and update the Kyverno Helm chart repository:

helm repo add nirmata https://nirmata.github.io/kyverno-charts/
helm repo update nirmata

(Optional) If a custom CA (Certificate Authority) is used in the cluster, create a configmap corresponding to the same in the namespace using the cutom-ca.pem key:

kubectl -n kyverno create configmap <e.g. ca-store-cm> --from-file=custom-ca.pem=<cert file e.g. some-cert.pem>

Creating a namespace

It is recommended to install the CIS-Adapter in its own namespace. This documentation uses kube-bench as the namespace:

kubectl create namespace kube-bench

Installing the Nirmata CIS Adapter

Self-managed cluster

The following command installs the CIS-Adapter for existing provider from nirmata helm repo in the kube-bench namespace, with desired parameters:

helm install kube-bench-adapter nirmata/kube-bench-adapter -n kube-bench --set kubeBench.name="cis-1.24" --set kubeBench.kubeBenchBenchmark="cis-1.24" --set kubeBench.namespace="kube-bench" --set kubeBench.kubeBenchTargets="master\,controlplane\,node\,etcd\,policies"

EKS

Install the CIS-Adapter for EKS from nirmata helm repo in the kube-bench namespace, with desired parameters using:

helm install kube-bench-adapter nirmata/kube-bench-adapter -n kube-bench --set kubeBench.name="cis-eks-1.2.0" --set kubeBench.kubeBenchBenchmark="eks-1.2.0" --set kubeBench.namespace="kube-bench" --set kubeBench.kubeBenchTargets="controlplane\,node\,policies\,managedservices"

GKE

Install the CIS-Adapter for GKE from nirmata helm repo in the kube-bench namespace, with desired parameters using:

helm install kube-bench-adapter nirmata/kube-bench-adapter -n kube-bench --set kubeBench.name="cis-gke-1.2.0" --set kubeBench.kubeBenchBenchmark="gke-1.2.0" --set kubeBench.namespace="kube-bench" --set kubeBench.kubeBenchTargets="controlplane\,node\,policies\,managedservices"

AKS

Install the CIS-Adapter for AKS from nirmata helm repo in the kube-bench namespace, with desired parameters using:

helm install kube-bench-adapter nirmata/kube-bench-adapter -n kube-bench --set kubeBench.name="cis-aks-1.0" --set kubeBench.kubeBenchBenchmark="aks-1.0" --set kubeBench.namespace="kube-bench" --set kubeBench.kubeBenchTargets="controlplane\,node\,policies\,managedservices"

OpenShift

Install the CIS-Adapter for OpenShift from nirmata helm repo in the kube-bench namespace, with desired parameters using:

helm install kube-bench-adapter nirmata/kube-bench-adapter -n kube-bench --set kubeBench.name="cis-rh-1.0" --set kubeBench.kubeBenchBenchmark="rh-1.0" --set kubeBench.namespace="kube-bench" --set kubeBench.kubeBenchTargets="master\,controlplane\,node\,etcd\,policies"

Verifying installation

Verifying cronjob creation

The cronjob with weekly schedule should be created and executing the below command helps you verify that:

kubectl get cronjob -n kube-bench

Verify policyreports creation

Check the policyreports created through the custom resource with:

kubectl get clusterpolicyreports -n kube-bench

Uninstalling the chart

The below command removes all the Kubernetes components associated with the CIS Adapter chart and deletes the release:

helm -n kube-bench uninstall kube-bench-adapter