Visual Kubernetes CIS Compliance with Powerpipe

Austin Lawrence
Sep 29, 2024By Austin Lawrence

Ensuring the security of your Kubernetes clusters is crucial, and the Center for Internet Security (CIS) benchmarks provide a valuable standard for this. This guide will show you how to use Powerpipe on macOS to take a quick, visual snapshot of your Kubernetes cluster's compliance with CIS benchmarks. Other OS' are supported, please check both steampipe and powerpipe documentation for the latest instructions.

What is Powerpipe?

Powerpipe is a tool that allows you to run benchmarks and view results in a web-based interface. It works with Steampipe's plugin ecosystem, enabling you to query your Kubernetes cluster and assess its CIS compliance status with a user-friendly, visual report.

Setting Up Powerpipe on macOS

1. Install Powerpipe using Homebrew:

brew install powerpipe

2. Install Steampipe using Homebrew:

brew install steampipe

3. Install the Kubernetes plugin:

steampipe plugin install kubernetes

4. Install the Kubernetes Compliance mod:

powerpipe mod install github.com/turbot/steampipe-mod-kubernetes-compliance

Taking a Visual CIS Compliance Snapshot

To take an immediate, visual snapshot of your Kubernetes cluster's CIS compliance:

1. Ensure your KUBECONFIG is set correctly. If you're using minikube or another flavor of portable K8s, this should be automatic. For other setups, you might need to set it manually:

export KUBECONFIG=/path/to/your/kubeconfig

2. Start Powerpipe Server:

powerpipe server

3. Open your web browser and navigate to:

http://localhost:9033
Powerpipe-Kubernetes-CIS-Dasboard

4. In the web interface, find and select one of the CIS benchmark dashboards.

Understanding the Visual Report

The Powerpipe Server web interface provides:

- An overview dashboard with summary statistics
- Detailed results for each benchmark item, organized by category
- Visual indicators (e.g., red for fail, green for pass) for quick status assessment
- Recommendations for addressing non-compliant items
- The ability to drill down into specific checks for more information

Conclusion

Using Powerpipe on macOS, you can quickly get a visual snapshot of your Kubernetes cluster's CIS compliance status. This approach allows for on-demand, user-friendly assessments whenever you need them, helping you maintain a secure Kubernetes environment.

The visual nature of the report makes it easy to identify areas of concern and share results with team members. Remember, while this snapshot provides valuable insights, regular checks and prompt remediation of identified issues are key to maintaining ongoing security.

Powerpipe combines the power of comprehensive CIS benchmarks with the clarity of a web-based interface, all from your workstation. Use it whenever you need a quick, visual compliance check of your Kubernetes cluster, whether you're working with a local development environment or a remote production cluster.