From f9d0f4acc1b3aa74d004e03b6585f2a6d87d72b1 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 23 Apr 2019 11:59:54 +0100 Subject: [PATCH 1/2] Add OCP info into the README --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 915b8af..2c0eaa1 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,8 @@ kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1. By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine. +There is also preliminary support for Red Hat's Openshift Hardening Guide for 3.10 and 3.11. Please note that kube-bench does not automatically detect Openshift - see below. + ## Installation You can choose to @@ -47,7 +49,8 @@ You can even use your own configs by mounting them over the default ones in `/op docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node] ``` -> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. +> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes +. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. ### Running in a kubernetes cluster @@ -112,6 +115,9 @@ go build -o kube-bench . ./kube-bench ``` +## Running on OpenShift + +kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify `--version ocp-3.10` when you run the `kube-bench` command (either directly or through YAML). This config version is valid for OCP 3.10 and 3.11. ## Configuration From ceb44583dd1f37752c1dc4ebd1d55b799e1058f2 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 23 Apr 2019 16:07:27 +0100 Subject: [PATCH 2/2] Tidy up a couple of things --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2c0eaa1..56e815d 100644 --- a/README.md +++ b/README.md @@ -49,15 +49,14 @@ You can even use your own configs by mounting them over the default ones in `/op docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node] ``` -> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes -. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. +> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. ### Running in a kubernetes cluster You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored. Master nodes are automatically detected by kube-bench and will run master checks when possible. -The detection is done by verifying that mandatory components for master are running. (see [config file](#configuration). +The detection is done by verifying that mandatory components for master, as defined in the config files, are running (see [Configuration](#configuration)). The supplied `job.yaml` file can be applied to run the tests as a job. For example: