Banzai Cloud PKE CIS Kubernetes benchmark
At Banzai Cloud we strive to enable a secure software supply chain which ensures that applications deployed with the Pipeline platform and Pipeline Kubernetes Engine are secure, without reducing developer productivity across all environments (on-premise, multi-, hybrid-, and edge-cloud). While we have our own internal processes and a dedicated security team working full time on hardening the entire application platform stack, it also makes sense to provide confidence to our customers following industry standard benchmarks.
Today we are happy to announce that our own CNCF certified Kubernetes distribution, PKE has passed the CIS Benchmark for Kubernetes. For those unfamiliar with the CIS benchmark, it's an industry standard and objective, consensus-driven security guidelines for Kubernetes-based Software.
Below are a few highlights of the Banzai Cloud Pipeline security approach:
All secrets, certificates are stored and generated by Vault
Secrets are dynamically injected in Pods
Pipeline and PKE is integrated with Dex to support multiple auth backends
Provider agnostic authentication and authorization for Pipeline and PKE
Obviously there are lots more, if you are interested to learn more please get in touch with us, we'd be happy to chat.
The Banzai Cloud PKE CIS Benchmark for Kubernetes test results are available here.
The CIS Benchmark for Kubernetes
While there are quite a few tests and manual guidelines
available, we decided to use the automated
open source tool, made by the great folks from
kube-bench is a
Go application that checks whether Kubernetes is deployed
securely by running the checks documented in the CIS
Kubernetes Benchmark. The tool is now wired into our own
internal release process and running continuously against
Hunting for security weaknesses in Kubernetes clusters
Passing the CIS benchmarks was a great start, and provides confidence to our customers, however we are doing even more. The Aqua Security folks have open sourced another security tool - kube-hunter to increase awareness and visibility for security issues in Kubernetes environments.
PKE clusters are
continuously tested with
kube-hunter as well, in both
remote/internal scanning and also in active hunting mode, in
order to attempt to exploit vulnerabilities that the tool
finds. We are happy to disclose that there were no
vulnerabilities found and also that we are using the tool in
Pipeline Kubernetes Engine