From 8021610e4699f773e0fc89802064629629e211c9 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Fri, 11 Jan 2019 18:44:13 +0000 Subject: [PATCH] For #197 - create job YAML files that mount host volumes as needed --- README.md | 32 ++++++++++++++++++++++++-------- job-master.yaml | 36 ++++++++++++++++++++++++++++++++++++ job-node.yaml | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 8 deletions(-) create mode 100644 job-master.yaml create mode 100644 job-node.yaml diff --git a/README.md b/README.md index ba24bba..50400b5 100644 --- a/README.md +++ b/README.md @@ -40,20 +40,35 @@ docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.ya > Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. ### Running in a kubernetes cluster -Run the master check -``` -kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"node-role.kubernetes.io/master\": \"\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.11 -``` +You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored. -Notice that this requires access to the host PID namespace. Thus it will not work if the recommendation to enable the admission plugin DenyEscalatingExec in the API Server has been implemented. You will see an error message about failing to attach to a container using host PID. +To run the tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec. -Run the node check +The supplied `job-node.yaml` and `job-master.yaml` files can be applied to run the tests as a job. For example: -``` -kubectl run --rm -i -t kube-bench-node --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true } }" -- node --version 1.11 +```bash +$ kubectl apply -f job-master.yaml +job.batch/kube-bench-master created + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +kube-bench-master-j76s9 0/1 ContainerCreating 0 3s + +# Wait for a few seconds for the job to complete +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +kube-bench-master-j76s9 0/1 Completed 0 11s + +# The results are held in the pod's logs +k logs kube-bench-master-j76s9 +[INFO] 1 Master Node Security Configuration +[INFO] 1.1 API Server +... ``` +The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node. + ### Installing from a container This command copies the kube-bench binary and configuration files to your host from the Docker container: @@ -83,6 +98,7 @@ go build -o kube-bench . ``` ## Configuration + Kubernetes config and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file. For each type of node (*master*, *node* or *federated*) there is a list of components, and for each component there is a set of binaries (*bins*) and config files (*confs*) that kube-bench will look for (in the order they are listed). If your installation uses a different binary name or config file location for a Kubernetes component, you can add it to `cfg/config.yaml`. diff --git a/job-master.yaml b/job-master.yaml new file mode 100644 index 0000000..6c827ef --- /dev/null +++ b/job-master.yaml @@ -0,0 +1,36 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-master +spec: + template: + spec: + hostPID: true + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: kube-bench + image: aquasec/kube-bench:latest + command: ["kube-bench","master"] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + - name: etc-kubernetes + mountPath: /etc/kubernetes + - name: usr-bin + mountPath: /usr/bin + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" \ No newline at end of file diff --git a/job-node.yaml b/job-node.yaml new file mode 100644 index 0000000..e35c5bd --- /dev/null +++ b/job-node.yaml @@ -0,0 +1,35 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-node +spec: + template: + spec: + hostPID: true + containers: + - name: kube-bench + image: aquasec/kube-bench:latest + command: ["kube-bench","node"] + volumeMounts: + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + - name: etc-systemd + mountPath: /etc/systemd + - name: etc-kubernetes + mountPath: /etc/kubernetes + - name: usr-bin + mountPath: /usr/bin + restartPolicy: Never + volumes: + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" \ No newline at end of file