From ba9985047c2ffce21c85d55e5c0feb6ae83ec09c Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 20 Nov 2018 10:18:06 +0000 Subject: [PATCH 1/2] read config files from host /etc I don't see how kube-bench can check the permissions on files unless it has access to them on the host, so I think we need to be mounting the /etc directory from the host --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 933cabf..37c5122 100644 --- a/README.md +++ b/README.md @@ -25,16 +25,16 @@ You can choose to ### Running inside a container -You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace. +You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` directory where the configuration files are located . ``` -docker run --pid=host -t aquasec/kube-bench:latest +docker run --pid=host -v /etc:/etc -t aquasec/kube-bench:latest ``` You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` ``` -docker run --pid=host -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest +docker run --pid=host -v /etc:/etc -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest ``` > Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. From bdbbe41b69293740bf05041f13deb3c7881e65d8 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 20 Nov 2018 13:22:36 +0000 Subject: [PATCH 2/2] Also /var --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 37c5122..b08970d 100644 --- a/README.md +++ b/README.md @@ -25,16 +25,16 @@ You can choose to ### Running inside a container -You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` directory where the configuration files are located . +You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions. ``` -docker run --pid=host -v /etc:/etc -t aquasec/kube-bench:latest +docker run --pid=host -v /etc:/etc -v /var:/var -t aquasec/kube-bench:latest ``` You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` ``` -docker run --pid=host -v /etc:/etc -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest +docker run --pid=host -v /etc:/etc -v /var:/var -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest ``` > Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.