At Banzai Cloud we strive to enable a secure software supply chain which ensures that applications deployed with the Pipeline platform and Pipeline Kubernetes Engine are secure, without reducing developer productivity across all environments (on-premise, multi-, hybrid-, and edge-cloud). While we have our own internal processes and a dedicated security team working full time on hardening the entire application platform stack, it also makes sense to provide confidence to our customers following industry standard benchmarks.
Today we are happy to announce that our own CNCF certified Kubernetes distribution, PKE has passed the CIS Benchmark for Kubernetes. For those unfamiliar with the CIS benchmark, it’s an industry standard and objective, consensus-driven security guidelines for Kubernetes-based Software.
Below are a few highlights of the Banzai Cloud Pipeline security approach:
All secrets, certificates are stored and generated by Vault
Secrets are dynamically injected in Pods
Pipeline and PKE is integrated with Dex to support multiple auth backends
Provider agnostic authentication and authorization for Pipeline and PKE
Obviously there are lots more, if you are interested to learn more please get in touch with us, we’d be happy to chat.
The Banzai Cloud PKE CIS Benchmark for Kubernetes test results are available here.
The CIS Benchmark for Kubernetes 🔗︎
While there are quite a few tests and manual guidelines available, we decided to use the automated kube-bench open source tool, made by the great folks from Aqua Security.
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. The tool is now wired into our own internal release process and running continuously against PKE clusters.
Hunting for security weaknesses in Kubernetes clusters 🔗︎
Passing the CIS benchmarks was a great start, and provides confidence to our customers, however we are doing even more. The Aqua Security folks have open sourced another security tool - kube-hunter to increase awareness and visibility for security issues in Kubernetes environments.
PKE clusters are continuously tested with
kube-hunter as well, in both remote/internal scanning and also in active hunting mode, in order to attempt to exploit vulnerabilities that the tool finds. We are happy to disclose that there were no vulnerabilities found and also that we are using the tool in the Pipeline Kubernetes Engine release process.