0

I am currently in a doubt on how to properly run kube-bench in my cluster (AKS cluster to be specific). I used of course the job definition file from github, and modified it to run it as a cronjob (it is maybe an overkill but it isn't relevant in my question). This definition runs the pod in the default namespace, and I changed it as well to use a newly create kube-bench namespace. Furthermore, it runs it only on one node, and as I understood it, it runs the tests only on that node in this case. So my questions would be:

  1. is it a good practice to run it in separated namespace intended only for kube-bench?
  2. If I have more nodes (and nodepools) in a cluster, do I need to run the job/pod on every node (eg. as an daemonset), and collect the report for every node individually?

Thanks in advance

Luka Klarić
  • 323
  • 2
  • 16
  • 1. I would generally advise to not use the default namespace, but whatever organization and separation makes sense for your setup is fine. 2. AFAIK kube-bench is only for the k8s platform itself, you will need a seperate tool if you also wish to check on the security of the OS on the nodes. – jordanm Feb 08 '23 at 18:15
  • Thank you for your answer and sorry for my late response. Just for record once again. So, it doesn't matter on which node kube-bench runs? It checks only the platform and it is totally fine to run it as a job out-of-the-box? – Luka Klarić Feb 22 '23 at 07:52

0 Answers0