mkdocs support and update docs (#884)
* Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury <itay@itaysk.com> * Fix syntax Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update docs/Architecture.md Co-authored-by: Itay Shakury <itay@itaysk.com> * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury <itay@itaysk.com>pull/898/head
@ -0,0 +1,35 @@
|
||||
---
|
||||
name: Deploy the dev documentation
|
||||
on:
|
||||
push:
|
||||
paths:
|
||||
- 'docs/**'
|
||||
- mkdocs.yml
|
||||
branches:
|
||||
- main
|
||||
jobs:
|
||||
deploy:
|
||||
name: Deploy the dev documentation
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout main
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
persist-credentials: true
|
||||
- uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.x
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
|
||||
pip install mike
|
||||
pip install mkdocs-macros-plugin
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }}
|
||||
- name: Setup Git
|
||||
run: |
|
||||
git config user.name "github-actions"
|
||||
git config user.email "github-actions@github.com"
|
||||
- name: Deploy the dev documents
|
||||
run: mike deploy --push dev
|
@ -0,0 +1,30 @@
|
||||
---
|
||||
name: Deploy the latest documentation
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- "v*"
|
||||
jobs:
|
||||
deploy:
|
||||
name: Deploy the latest documentation
|
||||
runs-on: ubuntu-18.04
|
||||
steps:
|
||||
- name: Checkout main
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
persist-credentials: true
|
||||
- uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.x
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git
|
||||
pip install mike
|
||||
pip install mkdocs-macros-plugin
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.ORG_GITHUB_TOKEN }}
|
||||
- name: Deploy the latest documents
|
||||
run: |
|
||||
VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
|
||||
mike deploy --push --update-aliases $VERSION latest
|
@ -0,0 +1,25 @@
|
||||
## Test config YAML representation
|
||||
|
||||
The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different [versions and platforms of the CIS Kubernetes Benchmark](./platforms.md). You will find more information about the test file YAML definitions in our [controls documentation](./controls.md).
|
||||
|
||||
## Kube-bench benchmarks
|
||||
|
||||
The test files for the various versions of Benchmarks can be found in directories
|
||||
with same name as the Benchmark versions under the `cfg` directory next to the kube-bench executable,
|
||||
for example `./cfg/cis-1.5` will contain all test files for [CIS Kubernetes Benchmark v1.5.1](https://workbench.cisecurity.org/benchmarks/4892) which are:
|
||||
master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml
|
||||
|
||||
Check the contents of the benchmark directory under `cfg` to see which targets are available for that benchmark. Each file except `config.yaml` represents a target (also known as a `control` in other parts of this documentation).
|
||||
|
||||
The following table shows the valid targets based on the CIS Benchmark version.
|
||||
| CIS Benchmark | Targets |
|
||||
|---|---|
|
||||
| cis-1.5| master, controlplane, node, etcd, policies |
|
||||
| cis-1.6| master, controlplane, node, etcd, policies |
|
||||
| gke-1.0| master, controlplane, node, etcd, policies, managedservices |
|
||||
| eks-1.0| controlplane, node, policies, managedservices |
|
||||
| ack-1.0| master, controlplane, node, etcd, policies, managedservices |
|
||||
| rh-0.7| master,node|
|
||||
| rh-1.0| master, controlplane, node, etcd, policies |
|
||||
|
||||
|
@ -0,0 +1,137 @@
|
||||
## Commands
|
||||
Command | Description
|
||||
--- | ---
|
||||
help | Prints help about any command
|
||||
run | List of components to run
|
||||
version | Print kube-bench version
|
||||
|
||||
## Flags
|
||||
Flag | Description
|
||||
--- | ---
|
||||
--alsologtostderr | log to standard error as well as files
|
||||
--asff | Send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page][kube-bench-aws-security-hub] for more information on how to enable the kube-bench integration with AWS Security Hub.
|
||||
--benchmark | Manually specify CIS benchmark version
|
||||
-c, --check | A comma-delimited list of checks to run as specified in Benchmark document.
|
||||
--config | config file (default is ./cfg/config.yaml)
|
||||
--exit-code | Specify the exit code for when checks fail
|
||||
--group | Run all the checks under this comma-delimited list of groups.
|
||||
--include-test-output | Prints the actual result when test fails.
|
||||
--json | Prints the results as JSON
|
||||
--junit | Prints the results as JUnit
|
||||
--log_backtrace_at traceLocation | when logging hits line file:N, emit a stack trace (default :0)
|
||||
--logtostderr | log to standard error instead of files
|
||||
--noremediations | Disable printing of remediations section to stdout.
|
||||
--noresults | Disable printing of results section to stdout.
|
||||
--nototals | Disable calculating and printing of totals for failed, passed, ... checks across all sections
|
||||
--outputfile | Writes the JSON results to output file
|
||||
--pgsql | Save the results to PostgreSQL
|
||||
--scored | Run the scored CIS checks (default true)
|
||||
--skip string | List of comma separated values of checks to be skipped
|
||||
--stderrthreshold severity | logs at or above this threshold go to stderr (default 2)
|
||||
-v, --v Level | log level for V logs (default 0)
|
||||
--version string | Manually specify Kubernetes version, automatically detected if unset
|
||||
--vmodule moduleSpec | comma-separated list of pattern=N settings for file-filtered logging
|
||||
|
||||
### Examples
|
||||
|
||||
#### Report kube-bench findings to AWS Security Hub
|
||||
|
||||
You can configure kube-bench with the `--asff` option to send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page](asff.md) for more information on how to enable the kube-bench integration with AWS Security Hub.
|
||||
|
||||
#### Specifying the benchmark or Kubernetes version
|
||||
|
||||
`kube-bench` uses the Kubernetes API, or access to the `kubectl` or `kubelet` executables to try to determine the Kubernetes version, and hence which benchmark to run. If you wish to override this, or if none of these methods are available, you can specify either the Kubernetes version or CIS Benchmark as a command line parameter.
|
||||
|
||||
You can specify a particular version of Kubernetes by setting the `--version` flag or with the `KUBE_BENCH_VERSION` environment variable. The value of `--version` takes precedence over the value of `KUBE_BENCH_VERSION`.
|
||||
|
||||
For example, run kube-bench using the tests for Kubernetes version 1.13:
|
||||
|
||||
```
|
||||
kube-bench --version 1.13
|
||||
```
|
||||
|
||||
|
||||
You can specify `--benchmark` to run a specific CIS Benchmark version:
|
||||
|
||||
```
|
||||
kube-bench --benchmark cis-1.5
|
||||
```
|
||||
|
||||
**Note:** It is an error to specify both `--version` and `--benchmark` flags together
|
||||
|
||||
#### Specifying Benchmark sections
|
||||
|
||||
If you want to run specific CIS Benchmark sections (i.e master, node, etcd, etc...)
|
||||
you can use the `run --targets` subcommand.
|
||||
|
||||
```
|
||||
kube-bench run --targets master,node
|
||||
```
|
||||
|
||||
or
|
||||
|
||||
```
|
||||
kube-bench run --targets master,node,etcd,policies
|
||||
```
|
||||
|
||||
|
||||
If no targets are specified, `kube-bench` will determine the appropriate targets based on the CIS Benchmark version and the components detected on the node. The detection is done by verifying which components are running, as defined in the config files (see [Configuration](controls.md#configuration-and-variables).
|
||||
|
||||
#### Run specific check or group
|
||||
|
||||
`kube-bench` supports running individual checks by specifying the check's `id`
|
||||
as a comma-delimited list on the command line with the `--check` | `-c` flag.
|
||||
`kube-bench --check="1.1.1,1.1.2,1.2.1,1.3.3"`
|
||||
|
||||
`kube-bench` supports running all checks under group by specifying the group's `id`
|
||||
as a comma-delimited list on the command line with the `--group` | `-g` flag.
|
||||
`kube-bench --check="1.1,2.2"`
|
||||
Will run all checks 1.1.X and 2.2.X.
|
||||
|
||||
#### Skip specific check or group
|
||||
|
||||
`kube-bench` supports skipping checks or groups by specifying the `id`
|
||||
as a comma-delimited list on the command line with the `--skip` flag.
|
||||
`kube-bench --skip="1.1,1.2.1,1.3.3"`
|
||||
Will skip 1.1.X group and individual checks 1.2.1, 1.3.3.
|
||||
Skipped checks returns [INFO] output.
|
||||
|
||||
#### Exit code
|
||||
|
||||
`kube-bench` supports using uniqe exit code when failing a check or more.
|
||||
`kube-bench --exit-code 42`
|
||||
Will return 42 if one check or more failed, and 0 incase none failed.
|
||||
**Note:** [WARN] is not [FAIL].
|
||||
|
||||
#### Output manipulation flags
|
||||
|
||||
There are four output states:
|
||||
- [PASS] indicates that the test was run successfully, and passed.
|
||||
- [FAIL] indicates that the test was run successfully, and failed. The remediation output describes how to correct the configuration, or includes an error message describing why the test could not be run.
|
||||
- [WARN] means this test needs further attention, for example it is a test that needs to be run manually. Check the remediation output for further information.
|
||||
- [INFO] is informational output that needs no further action.
|
||||
|
||||
Note:
|
||||
- If the test is Manual, this always generates WARN (because the user has to run it manually)
|
||||
- If the test is Scored, and kube-bench was unable to run the test, this generates FAIL (because the test has not been passed, and as a Scored test, if it doesn't pass then it must be considered a failure).
|
||||
- If the test is Not Scored, and kube-bench was unable to run the test, this generates WARN.
|
||||
- If the test is Scored, type is empty, and there are no `test_items` present, it generates a WARN. This is to highlight tests that appear to be incompletely defined.
|
||||
|
||||
`kube-bench` supports multiple output manipulation flags.
|
||||
`kube-bench --include-test-output` will print failing checks output in the results section
|
||||
```
|
||||
[INFO] 1 Master Node Security Configuration
|
||||
[INFO] 1.1 Master Node Configuration Files
|
||||
[FAIL] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
|
||||
**permissions=777**
|
||||
```
|
||||
|
||||
**Note:** `--noresults` `--noremediations` and `--include-test-output` **will not** effect the json output but only stdout.
|
||||
Only `--nototals` will effect the json output and thats because it will not call the function to calculate totals.
|
||||
|
||||
|
||||
#### Troubleshooting
|
||||
|
||||
Running `kube-bench` with the `-v 3` parameter will generate debug logs that can be very helpful for debugging problems.
|
||||
|
||||
If you are using one of the example `job*.yaml` files, you will need to edit the `command` field, for example `["kube-bench", "-v", "3"]`. Once the job has run, the logs can be retrieved using `kubectl logs` on the job's pod.
|
Before Width: | Height: | Size: 85 KiB After Width: | Height: | Size: 85 KiB |
After Width: | Height: | Size: 64 KiB |
Before Width: | Height: | Size: 124 KiB After Width: | Height: | Size: 124 KiB |
After Width: | Height: | Size: 58 KiB |
After Width: | Height: | Size: 86 KiB |
After Width: | Height: | Size: 7.0 KiB |
Before Width: | Height: | Size: 136 KiB After Width: | Height: | Size: 136 KiB |
@ -0,0 +1,35 @@
|
||||
[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github
|
||||
[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github
|
||||
[release]: https://github.com/aquasecurity/kube-bench/releases
|
||||
[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
|
||||
[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg
|
||||
[cov]: https://codecov.io/github/aquasecurity/kube-bench
|
||||
[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench
|
||||
[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench
|
||||
|
||||
![Kube-bench Logo](images/kube-bench.jpg)
|
||||
[![GitHub Release][release-img]][release]
|
||||
![Downloads][download]
|
||||
![Docker Pulls][docker-pull]
|
||||
[![Go Report Card][report-card-img]][report-card]
|
||||
[![Build Status](https://github.com/aquasecurity/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/aquasecurity/kube-bench/actions)
|
||||
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)
|
||||
[![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
|
||||
[![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
|
||||
[![Coverage Status][cov-img]][cov]
|
||||
|
||||
|
||||
# Kube-bench
|
||||
|
||||
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
|
||||
|
||||
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
|
||||
|
||||
|
||||
1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org).
|
||||
|
||||
1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark.
|
||||
|
||||
1. It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.
|
||||
|
||||
For help and more information go to our [github discussions q&a](https://github.com/aquasecurity/kube-bench/discussions/categories/q-a)
|
@ -0,0 +1,16 @@
|
||||
|
||||
## CIS Kubernetes Benchmark support
|
||||
|
||||
kube-bench supports running tests for Kubernetes.
|
||||
Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
|
||||
Some defined by other hardenening guides.
|
||||
|
||||
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|
||||
|---|---|---|---|
|
||||
| CIS | [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15- |
|
||||
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16- |
|
||||
| CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
|
||||
| CIS | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
|
||||
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
|
||||
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
||||
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
|
@ -0,0 +1,145 @@
|
||||
|
||||
## Running kube-bench
|
||||
|
||||
If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config files.
|
||||
|
||||
By default kube-bench attempts to auto-detect the running version of Kubernetes, and map this to the corresponding CIS Benchmark version. For example, Kubernetes version 1.15 is mapped to CIS Benchmark version `cis-1.15` which is the benchmark version valid for Kubernetes 1.15.
|
||||
|
||||
kube-bench also attempts to identify the components running on the node, and uses this to determine which tests to run (for example, only running the master node tests if the node is running an API server).
|
||||
|
||||
**Please note**
|
||||
It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.
|
||||
|
||||
### Running inside a container
|
||||
|
||||
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions.
|
||||
|
||||
```
|
||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18
|
||||
```
|
||||
|
||||
> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
|
||||
|
||||
```
|
||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest
|
||||
```
|
||||
|
||||
You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
|
||||
|
||||
```
|
||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest
|
||||
```
|
||||
|
||||
### Running in a Kubernetes cluster
|
||||
|
||||
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
|
||||
|
||||
The supplied `job.yaml` file can be applied to run the tests as a job. For example:
|
||||
|
||||
```bash
|
||||
$ kubectl apply -f job.yaml
|
||||
job.batch/kube-bench created
|
||||
|
||||
$ kubectl get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
kube-bench-j76s9 0/1 ContainerCreating 0 3s
|
||||
|
||||
# Wait for a few seconds for the job to complete
|
||||
$ kubectl get pods
|
||||
NAME READY STATUS RESTARTS AGE
|
||||
kube-bench-j76s9 0/1 Completed 0 11s
|
||||
|
||||
# The results are held in the pod's logs
|
||||
kubectl logs kube-bench-j76s9
|
||||
[INFO] 1 Master Node Security Configuration
|
||||
[INFO] 1.1 API Server
|
||||
...
|
||||
```
|
||||
|
||||
To run tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec.
|
||||
|
||||
The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.
|
||||
### Running in an AKS cluster
|
||||
|
||||
1. Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures
|
||||
|
||||
1. Use the [kubectl-enter plugin](https://github.com/kvaps/kubectl-enter) to shell into a node
|
||||
`
|
||||
kubectl-enter {node-name}
|
||||
`
|
||||
or ssh to one agent node
|
||||
could open nsg 22 port and assign a public ip for one agent node (only for testing purpose)
|
||||
|
||||
1. Run CIS benchmark to view results:
|
||||
```
|
||||
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
|
||||
./kube-bench
|
||||
```
|
||||
kube-bench cannot be run on AKS master nodes
|
||||
|
||||
### Running in an EKS cluster
|
||||
|
||||
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
|
||||
|
||||
1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide*
|
||||
- Information on configuring `eksctl`, `kubectl` and the AWS CLI is within
|
||||
2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image
|
||||
```
|
||||
aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
|
||||
```
|
||||
3. Download, build and push the kube-bench container image to your ECR repo
|
||||
```
|
||||
git clone https://github.com/aquasecurity/kube-bench.git
|
||||
cd kube-bench
|
||||
aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
|
||||
docker build -t k8s/kube-bench .
|
||||
docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
|
||||
docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
|
||||
```
|
||||
4. Copy the URI of your pushed image, the URI format is like this: `<AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest`
|
||||
5. Replace the `image` value in `job-eks.yaml` with the URI from Step 4
|
||||
6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks.yaml`
|
||||
7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces`
|
||||
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
|
||||
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
|
||||
|
||||
|
||||
### Running on OpenShift
|
||||
|
||||
| OpenShift Hardening Guide | kube-bench config |
|
||||
|---|---|
|
||||
| ocp-3.10 +| rh-0.7 |
|
||||
| ocp-4.1 +| rh-1.0 |
|
||||
|
||||
kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0`
|
||||
|
||||
`kube-bench` supports auto-detection, when you run the `kube-bench` command it will autodetect if running in openshift environment.
|
||||
|
||||
### Running in a GKE cluster
|
||||
|
||||
| CIS Benchmark | Targets |
|
||||
|---|---|
|
||||
| gke-1.0| master, controlplane, node, etcd, policies, managedservices |
|
||||
|
||||
kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` when you run the `kube-bench` command.
|
||||
|
||||
To run the benchmark as a job in your GKE cluster apply the included `job-gke.yaml`.
|
||||
|
||||
```
|
||||
kubectl apply -f job-gke.yaml
|
||||
```
|
||||
|
||||
### Running in a ACK cluster
|
||||
|
||||
| CIS Benchmark | Targets |
|
||||
|---|---|
|
||||
| ack-1.0| master, controlplane, node, etcd, policies, managedservices |
|
||||
|
||||
kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK).
|
||||
To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command.
|
||||
|
||||
To run the benchmark as a job in your ACK cluster apply the included `job-ack.yaml`.
|
||||
|
||||
```
|
||||
kubectl apply -f job-ack.yaml
|
||||
```
|
Before Width: | Height: | Size: 17 KiB |
Before Width: | Height: | Size: 10 KiB |
@ -0,0 +1,41 @@
|
||||
---
|
||||
site_name: Kube-bench
|
||||
site_url: https://aquasecurity.github.io/kube-bench/
|
||||
site_description: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
|
||||
docs_dir: docs/
|
||||
repo_name: GitHub
|
||||
repo_url: https://github.com/aquasecurity/kube-bench/
|
||||
edit_uri: ""
|
||||
|
||||
nav:
|
||||
- Overview: index.md
|
||||
- Getting Started:
|
||||
- Installation: Installation.md
|
||||
- Platforms: Platforms.md
|
||||
- How to run: Running.md
|
||||
- ASFF: asff.md
|
||||
- Flags: Flags_and_commands.md
|
||||
- Configuration Options:
|
||||
- Understanding the yamls: Controls.md
|
||||
- Architecture: Architecture.md
|
||||
- Contributing: Contributing.md
|
||||
|
||||
markdown_extensions:
|
||||
- pymdownx.highlight
|
||||
- pymdownx.superfences
|
||||
- admonition
|
||||
|
||||
extra:
|
||||
generator: false
|
||||
version:
|
||||
method: mike
|
||||
provider: mike
|
||||
|
||||
theme:
|
||||
name: material
|
||||
language: 'en'
|
||||
logo: images/kube-bench-logo-only.png
|
||||
|
||||
plugins:
|
||||
- search
|
||||
- macros
|