From c86d0ff81bd85cca1781fbfd9a634276165a9024 Mon Sep 17 00:00:00 2001
From: Philippe ALEXANDRE <philippe.alexandre@orange.com>
Date: Fri, 23 Mar 2018 09:27:48 +0100
Subject: [PATCH 01/28] Replace fmt.Sprintf by filepath.Join

---
 cmd/common.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/cmd/common.go b/cmd/common.go
index 15cb237..3b316a2 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -17,7 +17,8 @@ package cmd
 import (
 	"fmt"
 	"io/ioutil"
-
+	"path/filepath"
+	
 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/golang/glog"
 	"github.com/spf13/viper"
@@ -47,9 +48,12 @@ func runChecks(t check.NodeType) {
 	}
 
 	ver := getKubeVersion()
-	path := fmt.Sprintf("%s/%s", cfgDir, ver)
-
-	def := fmt.Sprintf("%s/%s", path, file)
+	// path := fmt.Sprintf("%s/%s", cfgDir, ver)
+	path := filepath.Join(cfgDir, ver)
+	
+	// def := fmt.Sprintf("%s/%s", path, file)
+	def := filepath.Join(path, file)
+	
 	in, err := ioutil.ReadFile(def)
 	if err != nil {
 		exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))

From d6c16f7563c52cff41ceb2107d1ddd060225ef3f Mon Sep 17 00:00:00 2001
From: Philippe ALEXANDRE <philippe.alexandre@orange.com>
Date: Fri, 23 Mar 2018 09:29:17 +0100
Subject: [PATCH 02/28] Try to use kubelet when kubectl is unavailable

---
 cmd/util.go | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/cmd/util.go b/cmd/util.go
index 4f0c658..7b8e9de 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -215,10 +215,19 @@ func multiWordReplace(s string, subname string, sub string) string {
 func getKubeVersion() string {
 	// These executables might not be on the user's path.
 	_, err := exec.LookPath("kubectl")
+
 	if err != nil {
-		exitWithError(fmt.Errorf("kubernetes version check failed: %v", err))
+		_, err = exec.LookPath("kubelet")
+		if err != nil {
+			exitWithError(fmt.Errorf("Version check failed: need kubectl or kubelet binaries to get kubernetes version"))
+		}
+		return getKubeVersionFromKubelet()
 	}
 
+	return getKubeVersionFromKubectl()
+}
+
+func getKubeVersionFromKubectl() string {
 	cmd := exec.Command("kubectl", "version", "--short")
 	out, err := cmd.CombinedOutput()
 	if err != nil {
@@ -228,6 +237,17 @@ func getKubeVersion() string {
 	return getVersionFromKubectlOutput(string(out))
 }
 
+func getKubeVersionFromKubelet() string {
+	cmd := exec.Command("kubelet", "--version")
+	out, err := cmd.CombinedOutput()
+	
+	if err != nil {
+		continueWithError(fmt.Errorf("%s", out), "")
+	}
+
+	return getVersionFromKubeletOutput(string(out))
+}
+
 func getVersionFromKubectlOutput(s string) string {
 	serverVersionRe := regexp.MustCompile(`Server Version: v(\d+.\d+)`)
 	subs := serverVersionRe.FindStringSubmatch(s)
@@ -238,6 +258,16 @@ func getVersionFromKubectlOutput(s string) string {
 	return subs[1]
 }
 
+func getVersionFromKubeletOutput(s string) string {
+	serverVersionRe := regexp.MustCompile(`Kubernetes v(\d+.\d+)`)
+	subs := serverVersionRe.FindStringSubmatch(s)
+	if len(subs) < 2 {
+		printlnWarn(fmt.Sprintf("Unable to get kubelet version, using default version: %s", defaultKubeVersion))
+		return defaultKubeVersion
+	}
+	return subs[1]
+}
+
 func makeSubstitutions(s string, ext string, m map[string]string) string {
 	for k, v := range m {
 		subst := "$" + k + ext

From f091c8adeaba696b7c14658331b78cda77a97b57 Mon Sep 17 00:00:00 2001
From: Philippe ALEXANDRE <philippe.alexandre@orange.com>
Date: Tue, 27 Mar 2018 15:33:01 +0200
Subject: [PATCH 03/28] Remove the old lines of fmt.Sprintf in cmd/common.go

---
 cmd/common.go | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/cmd/common.go b/cmd/common.go
index 3b316a2..cce49b3 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -18,7 +18,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
-	
+
 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/golang/glog"
 	"github.com/spf13/viper"
@@ -48,12 +48,10 @@ func runChecks(t check.NodeType) {
 	}
 
 	ver := getKubeVersion()
-	// path := fmt.Sprintf("%s/%s", cfgDir, ver)
 	path := filepath.Join(cfgDir, ver)
-	
-	// def := fmt.Sprintf("%s/%s", path, file)
+
 	def := filepath.Join(path, file)
-	
+
 	in, err := ioutil.ReadFile(def)
 	if err != nil {
 		exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))

From 728cb0765fafb82ef68efd437e6299ed9d66b5c4 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Wed, 4 Apr 2018 10:44:32 +0100
Subject: [PATCH 04/28] Use 1.8 tests for k8s 1.9 and 1.10

---
 cmd/common.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cmd/common.go b/cmd/common.go
index cce49b3..752a337 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -48,8 +48,13 @@ func runChecks(t check.NodeType) {
 	}
 
 	ver := getKubeVersion()
-	path := filepath.Join(cfgDir, ver)
+	switch ver {
+	case "1.9", "1.10":
+		continueWithError(nil, fmt.Sprintf("No CIS spec for %s - using tests from CIS 1.2.0 spec for Kubernetes 1.8\n", ver))
+		ver = "1.8"
+	}
 
+	path := filepath.Join(cfgDir, ver)
 	def := filepath.Join(path, file)
 
 	in, err := ioutil.ReadFile(def)

From 0d84dc4d428d52446cf72615e4d05ac85fa0884e Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Wed, 4 Apr 2018 11:31:47 +0100
Subject: [PATCH 05/28] Update to nfpm as fpm is deprecated

---
 .goreleaser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 7cb5822..c6025c9 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -9,7 +9,7 @@ builds:
 # Archive customization
 archive:
   format: tar.gz
-fpm:
+nfpm:
   vendor: Aqua Security
   description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
   license: Apache-2.0

From b587e7a996b0fd26bf9067364d06d87cde56a4dd Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Wed, 4 Apr 2018 14:57:28 +0100
Subject: [PATCH 06/28] Add homepage to goreleaser config to fix build

---
 .goreleaser.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index c6025c9..2ec2684 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -13,6 +13,7 @@ nfpm:
   vendor: Aqua Security
   description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
   license: Apache-2.0
+  homepage: https://github.com/aquasecurity/kube-bench
   formats:
     - deb
     - rpm

From ade064006e5454b125f073e8a1d5fe4edfd0acff Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 10 Apr 2018 19:58:19 +0000
Subject: [PATCH 07/28] Add extra output manipulation flags, --noremediations,
 --nosummary and --noresults.

These flags disable printing sections of the final output of kube-bench.
---
 cmd/common.go | 59 ++++++++++++++++++++++++++++-----------------------
 cmd/root.go   |  8 +++++++
 2 files changed, 41 insertions(+), 26 deletions(-)

diff --git a/cmd/common.go b/cmd/common.go
index 752a337..1d938c2 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -131,41 +131,48 @@ func colorPrint(state check.State, s string) {
 
 // prettyPrint outputs the results to stdout in human-readable format
 func prettyPrint(r *check.Controls, summary check.Summary) {
-	colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text))
-	for _, g := range r.Groups {
-		colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))
-		for _, c := range g.Checks {
-			colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text))
+	// Print check results.
+	if !noResults {
+		colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text))
+		for _, g := range r.Groups {
+			colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))
+			for _, c := range g.Checks {
+				colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text))
+			}
 		}
-	}
 
-	fmt.Println()
+		fmt.Println()
+	}
 
 	// Print remediations.
-	if summary.Fail > 0 || summary.Warn > 0 {
-		colors[check.WARN].Printf("== Remediations ==\n")
-		for _, g := range r.Groups {
-			for _, c := range g.Checks {
-				if c.State != check.PASS {
-					fmt.Printf("%s %s\n", c.ID, c.Remediation)
+	if !noRemediations {
+		if summary.Fail > 0 || summary.Warn > 0 {
+			colors[check.WARN].Printf("== Remediations ==\n")
+			for _, g := range r.Groups {
+				for _, c := range g.Checks {
+					if c.State != check.PASS {
+						fmt.Printf("%s %s\n", c.ID, c.Remediation)
+					}
 				}
 			}
+			fmt.Println()
 		}
-		fmt.Println()
 	}
 
 	// Print summary setting output color to highest severity.
-	var res check.State
-	if summary.Fail > 0 {
-		res = check.FAIL
-	} else if summary.Warn > 0 {
-		res = check.WARN
-	} else {
-		res = check.PASS
-	}
+	if !noSummary {
+		var res check.State
+		if summary.Fail > 0 {
+			res = check.FAIL
+		} else if summary.Warn > 0 {
+			res = check.WARN
+		} else {
+			res = check.PASS
+		}
 
-	colors[res].Printf("== Summary ==\n")
-	fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n",
-		summary.Pass, summary.Fail, summary.Warn,
-	)
+		colors[res].Printf("== Summary ==\n")
+		fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n",
+			summary.Pass, summary.Fail, summary.Warn,
+		)
+	}
 }
diff --git a/cmd/root.go b/cmd/root.go
index 76d871a..915d377 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -36,6 +36,9 @@ var (
 	masterFile         string
 	nodeFile           string
 	federatedFile      string
+	noResults          bool
+	noSummary          bool
+	noRemediations     bool
 )
 
 // RootCmd represents the base command when called without any subcommands
@@ -60,8 +63,13 @@ func Execute() {
 func init() {
 	cobra.OnInitialize(initConfig)
 
+	// Output control
+	RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable prints of results section")
+	RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section")
+	RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section")
 	RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
 	RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
+
 	RootCmd.PersistentFlags().StringVarP(
 		&checkList,
 		"check",

From 9469b1c124305cdcf20bbc6a0da8e8009daac7fd Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Thu, 12 Apr 2018 14:22:50 -0400
Subject: [PATCH 08/28] Allow kubernetes version and config directory to be
 specified (resolves #107)

---
 cmd/common.go | 8 +++++++-
 cmd/root.go   | 5 ++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/cmd/common.go b/cmd/common.go
index 752a337..4b59758 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -47,7 +47,13 @@ func runChecks(t check.NodeType) {
 		nodetype = "federated"
 	}
 
-	ver := getKubeVersion()
+	var ver string
+	if kubeVersion != "" {
+		ver = kubeVersion
+	} else {
+		ver = getKubeVersion()
+	}
+
 	switch ver {
 	case "1.9", "1.10":
 		continueWithError(nil, fmt.Sprintf("No CIS spec for %s - using tests from CIS 1.2.0 spec for Kubernetes 1.8\n", ver))
diff --git a/cmd/root.go b/cmd/root.go
index 76d871a..ec84682 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -26,9 +26,10 @@ import (
 
 var (
 	envVarsPrefix      = "KUBE_BENCH"
-	cfgDir             = "./cfg"
 	defaultKubeVersion = "1.6"
+	kubeVersion        string
 	cfgFile            string
+	cfgDir             string
 	jsonFmt            bool
 	pgSQL              bool
 	checkList          string
@@ -77,6 +78,8 @@ func init() {
 		`Run all the checks under this comma-delimited list of groups. Example --group="1.1"`,
 	)
 	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is ./cfg/config.yaml)")
+	RootCmd.PersistentFlags().StringVarP(&cfgDir, "config-dir", "D", "./cfg/", "config directory")
+	RootCmd.PersistentFlags().StringVar(&kubeVersion, "version", "", "Manually specify Kubernetes version, automatically detected if unset")
 
 	goflag.CommandLine.VisitAll(func(goflag *goflag.Flag) {
 		RootCmd.PersistentFlags().AddGoFlag(goflag)

From 5ee7c1b0dbb9a69595c44d61881eab7d7cdae11c Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 20 Apr 2018 13:02:22 +0100
Subject: [PATCH 09/28] kube-bench logo

---
 images/kube-bench.png | Bin 0 -> 17501 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 images/kube-bench.png

diff --git a/images/kube-bench.png b/images/kube-bench.png
new file mode 100644
index 0000000000000000000000000000000000000000..c13539686fe9f9ea23fc717f574e05a433341275
GIT binary patch
literal 17501
zcmdtJWmH{F*Ch%BcPBVOgA<$(-2K2g5Znn4A-EF=?(VJ!cY=omcPDs)26wmK<oWu2
zMt?uL``&SX-Heg2vv<|1sx{}DwMqyDDa&A>lAyxCz+lM9N~*!Yz<mV%@*%?kZxUEe
zsDK~DPEwjqVEYeFu125CV8l%Ajm@a!Y>mv#)Xa=b-5mzZ-od~~JjqFlLEIMhGkrhm
z%{U)b(JCad61O7SguW!+7a#UJ_(pr78ANZdZ-YAAM)V77w_DUe5QQ+ck*iC@;;}k%
zHD8H?W9n)+h4QS(mgObq`mZ*{S9r`^+~hF_E(?YNigM(whTtL2ez8Wny}9=73eV_#
z<ee4AD*^K($4i0jGh(b4(k)jR4<_DoE1m}pR%CqxurM&9{8pCFBY`IX{t-g}UVwnN
z|2|<u{^!SkpZ>ou_TQTS+tlBV{I8Av-xhQJFb)qR_nXKZaSSWkK(Oj$!JW$z<GFSM
z|HVLmwD0`tL)Q&B8$CRs#Wyuur0#Gj<nHKTZlvAJ2z<B3ykW4#%b5&oT-578rVaaz
z0x_u1_kPHcom^PxRUTdhdzz4sv&oMdv<9NSqWh}WB)yx+RcivXLReU!zXeYBJwJ*K
z-YzjeaXvf|rtQhtr+_o+^8-_lFg8xjJ{&fjeXzSVUZkwl6*YmQDuI!;6xg+rw#(X{
zp3!}*`aE%qN5t$+Qj6-B17{iq&W?EZP#0fCA+YyglFz5BYVkPDX!(E?fENs<sP&jL
z-*#+!E=g4=)vIG3*)*K?*7;2NN6i^e^65$^v(@c|dc~@yGsa(Y1(60B#9lkcmIRCh
z8CuRXLxaI2Gx~#kZG1VWulku_{83|=T2?84UPKpfWS4e=-qTp^azhlqajxh8CZ@z>
z^hqh%(aX;4+zGeUH9-IX;-o30>rLX`-sW|CQk>V}Ub+80i13dg4t=3djr)a@r5jat
zWIEifw`8M&T&oWS`>Z6U1OUHeLlcC7ffWlAqa3$V$P`bVbV#i$-8nn*Jv}y<etG8M
zBz+-WU^(MTe5!i!Bk2Vt=8QKt+4bjGbpXk4)TP_zAQKx0uun&4re=>0x4PK{Y3H2B
zTrKmCJWzmYUM-Eeu#-p(<2Zb`$)fGm1THW>>=!_T?iaGzgn$Qv7ADLb8Pw2kd*=SD
zQ`J)P1YmL~FzmfQPH$oDCftU0UoaEJ;J`iiI3i)o2b{^epMdER-unWV6&3(5ZO6y=
z*PYC$RkB(xN0X70TwPLhX*>VQ$NjcT21$))LI|mmP|d_LWmk?8X2m@Bga#hyiD7m^
zQi^^i>pQMhQe^jVM6G9ko@4Wh1dy1O)dd#2g>U_IZx4o=nO*FaRW=tEhEBi%ICs+*
zisv@_oCgU63G1%2lGw}E!vn9q!an~#p?o^k<yO;{yqef?B2m^YCx01PbP=O23c`WF
zWJ05+RiUGVE<vPUrPfDSS(OY7oH2-B0pk*trxCAttK){goOco=sqjp@5P)_e2|iE#
z^C5-Y+jYRlh?P9C=h5`nC#1<b7s%^HmO!UKq?@j30Bo@TWhW9l2Pm4?EEP}=2XM&;
z;F8-(wukS%zHeJJ&eyl;L4haDvA0-=>)zg~V7^7+zx8Ab64I2N3qrWc?9PLjBUa*1
z=m!BR#aN(VL;Pr8?Wt-dE>IN~5*RDJ=`sAeYh%RVwPNXJpYx&KP!8!;8PMOK%BH~Z
zCe#3L)-2_nY*m`Q_gTNv9zcdgW`a@ECXbw%|IW2OTu9uWY_rD?00+1q;l+>jRgq7Z
zK&;xvt94nHkn8dC_2y6Qbh|x+0WeITF_La3_HAC#2}Nd7>P<ev#Pm!12{#F8WB{p{
zN$AVcQ9=q*y9ui2E_6qvXaDZ&d}m&lu!a8K94%T1KpJ3VS*5$-CLE_YfOw99{JN5J
zK^r1B0Q>%Z(>`G&60J5IK-G9P?L4==`gxZ<``^z@1V{t^8NVx=*<V^0*f$C|<8P$L
z<G=wPNl>t4JKeSUZOQMFd%32$7K9X<1fW<lS|&64j99mvWh_5Xj|bjmH4n;E2H^Y*
z_b>_2>mqq*AmAxtoym;s#h7<|hKBWz-8~zaq<=dYL%}#gw+j&ef)af;lT_{;TU-NH
zEKqTM%l!H=wk|YjG6MndWLm(+(z9W#a$V79U%YZuvvMz`QD-Ru2)>};J~8bS!S>h5
zvX<1uI!g)J*+Cztx|g2`Bo-JE_w^o~NmCub3Z-3Yo%KIvU>O@o&;aH)pvgT`>UmIs
z-Dlxk0f6jg3Nt#_R0G_K^9e61Er0wy7zjuNJVBhKI1sK}9Tu0@Gm%iQ27Cbhe<-YG
zg_Z=sU`>AdUt+jJQPR&uRbt2vNa@|=@2O6Hu9VZO`VPS8q|>ue;p$KS@Ho7Hdk1im
zoTPK(@$j{UTW_!gG4Z#*NX1N+5Zh<+tZ*{Zu%~zEaR0SPzB4qIBi<6NJd_gJ#&x!=
zGU*!L`;SLup+=k^owT<Kr#$~5mGSyC15Fjh&QM-LlB@;Lz_c$v<Z9w0Z(kd8nX9+U
zKM`T8mNp2H*`;lHtD|WW8>z!h@i!R8{aU;3&c~F^nsNTBHz#>XT;?-5TFyrI=HU_H
z3H-+&9=~Nj{Lyrwb{hi!mG9{fUL2;o0M&r$?P2xl0C7?b;G(eGMgP3WlW(6z@GwQD
zGJ|!K#k-`^Dj}yKfGXSwR3#wt*h!Y`6y=y~5l5RhE@yliH1SOqOeb?s4~UJvU4=>X
zFw@hd<{Hax8ZTl8`DFD*{=^B?znFr@hJe;qk)+??N$pzo67rcJ%v!3Wj&PkaR@C76
z*^1mmKechl3j$p*`$IYK^dmJ_rz%?p9MLo?Z%_edjbKeX80Vz3+O>K-$^Sh8=lKhn
z>02>Q>&IUr;ep0>x5ETl2Eik?FU`rfa-rerj^)b=T$|rDe^Yv(_(+3bg-0eFX^hF`
zKNu^Uc)KK1DNC?^mQ^Q<(sHi#FD75GZ&Q1`dF-i~l31@t^hf<j96RZ|^JMGMoK9%Q
zcWG)fKo+H3M$LRJ-e`~4FlwDK2RVAY>#9qBi3{|?jK0j0?MG_|S?2BWJ5%y(qcM|D
zC1OvqSyD{?s36n&Uv0id`&0gJ&A;D`Vg_#A?oYqPQ0cXwPz+tZ>#34?wjruK?c`Bl
zyhR9g<}p!7BSsh2ivff+mBRe^vF8mR{Ik9`<|GX<BsUCk<&$M1Ql~dr*tI{p7Co7<
zw{`#qw8S#W9AiDgWQs>1Td1W_;#MgdYp_->(<luPh!Sq_;3bVw3>C^A`~b4dpd5}e
zHgJzIbI&)t<S#kmvpbYfP5#^2J<jSq1s`qljqS1FQP#AX!oA`tVpe{#eCm=I%XgSQ
zTRbyOqYCc*13%a3tuiO$cHLA^qg3lq`lLYKfoaTv^cRo!idJ*#@A(ibo!>Tf*xe9x
zl__FH5JY8BDuYel7Jh=m=o>Be>~PBt$mrnqp_y^Sf%MZ8^`fq%L-@S6!uZsfN|e9e
zyXO^EHL+vf@7Z5qEl)j&4W`wPzmrIFlD1EqLUhj#ILF$qVIuw_#P(XvIoL`c>^<+-
z+b!YD%N5ZyEPuk9wnxP69^7#iy}>9PkRvXAvT~HESx|J;(?>W$-;?tyOiZ8g0s{Gd
z9&#ZCdX-<I_;^k?$Ubb_Kb9?bM4G2r$xzs20oj6kcC6_qI@OO5jgrL58it=s;LH&Y
zXq%Md-o+VYkmOR|I4~?n{PJ3JKCy#GikJe>IaR^pL&C_lc_f|Z$~YH-j!;Gc;n4|8
zQ$g6m>Z<9ss48!g#7Ig26g~f4b9*KP258T&O)5(yu0g;Uvg4ZpCa;+=!&t!X)-lfk
z9_5~bbE9S>y!MAs%6J|zIs;sP)cNm6m5@nSZ(!CY>cOu5(&V+*CT$?VKYuC(`n(BM
zW>~It#+{j8qd_p5@saVFfj9Nb5ik8S5|Kj~tqfFRzWHKskMVJ(tCHOxm6-ZlC4^cb
zipWH%+1aX#zAJAYkYC3s^DX$7m;1K>@&s`9a&&Cmp}RIopf;)a;g-6t-glp$hZp$m
zPW6C5o_SF&W!EMrQ~c|xa1E%<hvd)qms+O)vZ$Z0@^K-bmQvM|XCrC{=p33XB$Zwu
zHTf#48Nd_Nil#i2n0}!zWL8p1lbvNHNj&9Dq+&x63p~$H!RyQ$%lcvhDXp7tb&Sc-
z;XX^-tunyAR~?9p&Jn*wX~rX%9F!FGc~mT|(^?ioX_ms9bfx`U8PA7-X;@ej9xcZq
zO1T2amwInmzZ}1E)6EhCy*ltG@n9I-lDvVKE5KjQ<xPCrOM8w}Mh36r+y=Tn=x7pE
zSd#_Iio!Uqmy9mpZA<C73w|_-cvMHylF=lVg3j`GseCEWv$J1~{8<P<brczcXYBu$
zr4+_<vA>u%r>+yqa)ZoN;1yW9=?G^Y^TsThh|kd}O_Gc`o^{pZ;porpYZq@Eh%75f
zag$JM2hbC4AWh{xnAyX?F`Oe33v|kJeK8mpw+?)PUBjJs43|EdMSJ#m0p7vrr~B59
z9uoS3mx}K+mh-eK8sOlcoh{3-5bdbZr{`6qnHiZs1u-08CBfUI?0<F_>O{vKzWsnh
zX<Z>Yke4hKv6BsC(4ZkRbw`I@hkO-}2L>i@+$m*3T|xhB%h0{_gP$>UOXEFPiz%je
znsA1u=jAPe61|IVh=MrimF>#~SF6mqm)-*oTIp{wB7QrmS!Ce=xw4}=<=1yW$hE-F
z{OkaChXe2xX4RxvO{9ctn?G~9l!M6X<>s4G6IW^H@git=zOW)e=lD{))mj`jL>5b$
z{YUCoOHkINt<>Rw>E|`pv{~6R=a&~~^QTID8<s<aMXnj$tw#?x#8dXFif?3{d3lly
zCayg^7j?ZAD)YC4?Vsj-C2vsI-}BAtzpMiC++VGV?`fUl6GousbU#oD)M~_eSW9}7
zSs>=&>PkmD!o&~Z_-9)(wXblxU_LziKEcp~Gu`DF2$R+{%!r<9OX7LfG-UWhJ%F*3
zqTEu%krZN)tf@aHEN7?BPe;Gp=x|TyK2VPXRk^Vvt!)kmVP%TLLZS|v8+eqgJmxbw
zy~63!JPpc$WLx&d1lbDr>|82`BE%g09;}r<h{|JT<)H;uTFDFDUm*&Iz!PZZ_L`@Z
zj0UB(_$1a$kMMbaP&P%N`0Mu*$t@ylb^+nR2}Y}1($h0@LUeqhFiuvKXV65I9#R;*
z8K5`DZ`j!s-){@@u`9Nxwcrn}T8;eHjZikg*JJZReU@??>J_ueME#6io3Q<xB_4xz
z7dygf?)NQH;CG5MyHBYKeEgXc{t^}d`BCWCP|Ay82mv(#fhQ)Svahtuir50Th)KY>
zY0T_kl)t!fOsM=i4pv)my;K`;wbL(ouViM+#0<GJ@M<$lO48w8y9s?twnHMqhKvh%
zj%;>U{kaHkeHY)^^2VO(lGZFF!G$F?Ta3q<(a!KoltwrwnI#<DbAXiR^y0uzysdh3
zTv>(Z9vS<kbSG;}FJ6mhq#62Jg0iM*)y?c&g+gh8Qxqg7Qfz`c)p>BcigIcVF_%zE
zL~#$Nk60v{9Wi^xl@@pIQLS1NOUp6Fcs$)xdn>1?lbqw#=t906pT$f$Jdh)CX@6W>
z&_xA(($yfX-O8DJr|BcLo;B8xSA_Qk(3kui+&|$t;-?|5E4Q4Q0D!9CNHbHloTB81
zYSAW(`r`9bglE;KjdpWQ@(Kj0Wn%DP47&}Li`R8djq3ztp47=A!1L5~?;(#_m%e9t
zo)(}Cwsm`|Q%soiYxEa7+&xYK*`Wfq$bBV%nTVh5hKW*EHE$PZBAqnoBxMY4zEcCa
zm4OVRD*aK#>k`ue84xVb1w)BCE78n+DHPhv$!Vz$PHy`ITHNKY%vS#VtV6UYq?ZY$
zhZU+ocV_yp^XAp<C*VUw_+bC425yq#`{+N>C$m}*^D`Kp3xyLxrG_-rrXKPrZdeC7
zpgN*Lk#*r6N>Bb2p&Gh|>DYGVgytGInw5vUuDXIAv9~+%ke<FMDEC%3QkcO<N-5JP
zPP;97tOCr=GovY8w4OOdtO_QI*5UTBLbLK01;PlIx`a3IonrJw;ai;qtJ^{7=kf-l
zLLKf)78S?mF}-5UXk>itJ6Op+Gym>7d`v$wEvR^sm4uXS*lY0Q8BGL@5}#CAi9f@o
zXa>&A6(I@2KI`fwP{N|syjZc9CM{jH)qCMN{s)>bV|}$i5(S)N{%KY$H1Q4q$AGjd
z;WKm6r?nMq08XF`zrylD{4-<nO+NvROkyYpvjV-eDPA3<Wg!*0GdlAU=NSBWmsqC?
zmcX~4NQioA%re_cO&}HsZ(@`-PKvm4KXtNwNvL1oT2y@>*89Gr8kvWu4_J8wZh2TE
zB$@zGUEa%^{eJp9YN~b9V3xlxi{;)AGp)RcWT-!<DDkK3@>6^B3Hl*B6%d^~w&Wgj
z0F05N>3f+!oZ`oM%P4pvVNQO}PCxD*#xHJRb=v=4kENp&L-4F&8WvOh>HBcpI)%Q}
zp_75N18tnYD1lmbd*V?lKNh|cu_!Kz`={u(taL<j3db8$@S~62;pED9g;SNcXgoY&
z*S2fzO83PLX$xb(pb!LWOoy7{()9H+Hg8>tE+@50paO%pwk}q?mQkuWkm?vT69m#v
zYo2A$p=ISUjctq;bRM4WmG9weO-fImXgrC}7~6CQr9$(H*mO|sL&_(uyM8*Zky&Y@
zoXh}&XL>ML<etG5d5I0V#;-XdZ!VITQqprFy2Q=Fhl!o+TRq4pAEee#yS8F_F+-t5
z*Z#sEbr#3oDZqedBoVVE%keD==(K0z><9T#MiEf*F?H>vO+5|Zi$AIhj{Uv2;TZ(A
zhjuXl3z!^AYPxmOj`y<X^Px)_VxTTI<0T$c%amEc;H4q|oPI#AUf0SCD!%%L;!l@0
znDp1goKF>DJVenPED#1?#MZOBr+@Q3ulXY3@P<_<)9;O)1+ZS^NYsq;x8jyA^u*l$
zBO|r&Va|HEG~210w2UOgw7KY0L|Bf$RQKBNm5ElJWMZb}?qae?EW6H6mq3fMf+3WI
zJ{#SY(7&m*Ess#U=SiUN<n`x5>=9)TaAp+U85c#)#;uVyT+jLpq|pm-d*GjC9n~pP
z#B&+k3Rg_ks9qvsERaX-@r%g!sV38q+6|f#Lo^)9Z!gurM72WKI(cUNqEHCNam>nC
zgev%N+O(xnB0V#`DHGU9zZmd#9v#H#8X&-?M5iF^k9y*0R8HlqmS5C7*_C3!Bvht6
z3zwi69iz$p7tb|@T6edz=FVtQC8a8nN%<nU1nQqZLiGPJd@otI%B<E>dSsvHRW*r1
z3@b0(FY7mXC~nSOygy;hR0GIjw<3Hz=x+q%`!+D3-KkOLIDN8EoRcwoB`W8|a`0L9
z(t_zZ<?fb)pSW~@S{|OV{zz6M%W*otKR$T6ru0;{P{2t%grU1I=0ur+*o{(^U^7r+
z6>BK5GfP&AR1hafKF{a^97(?S%N<R(!A{;b+Ak7xkC>9Gq7=b@6E@|DL!6$<A~x#`
z6P-*xwOI#-;9gxG=clu>r~BXCoxu!=u=0gAV-F7Ao_?P?Er7&O4i94DI@e9vB&MX-
zhz~c5Tk{^o9;u`Ox^bO=L}q8#!qAcK;z;HHg%X=I=w3?|TtlwWZn?|#x_w6E{JPb<
zMVM6yRvw7uB*?JycA%=#=1V|3+&H+esH;iD@TpyQ1d6$qi4!g}_^)nL(SYLQKrcuK
z?)Kd&rs@Ko#b~nbT?1H&!N&SrEDLAqMEM9{KTvK5R^BDZoivl?uWVA(Q#So9FJf~Q
z6xu-pr44`6>{#D!hkxB1@`P_frKZaj_&gtU`{}F9`tUf<tGUr!UgPKYqpGhPS+Ui?
z%C8B`lZAe;>xcpLBCup49nWC@`_a`S<=xD5p;N$`ZkXUzBKQSKoe=FCQMm%hJBA_3
z$(W+Qlj5{RhVz?QKlBppp8N))De@fJa7bh@bO043KW@~F@(;yS^Q}Ai9IW0NIf4zM
zr0pAn7ppSbw;ktbzw5|r@HYXaW`T)Xc7k&gx3q|DFH<5(SB1NKAoorCJVl4cf$rUl
zgl-l2r9hK|e`0+im#$HG!YWO7eJ>n<yW{ML()wOht6+gF2U0rk`Z`po@IAO$0LVw3
zzKn%t!|^zW=FB>^-OsR#Or{)&xwW^CjKUQ1jMhlnuUk+5jk1uaV?pt<+edl?t2Acv
z=Fp;|)>grlof#cob?%u)SDT?s1u?Bx+|SaFYV|eU$~9xf`-iB9GNpo8ZYJZQ-2wD0
z*<iv#-A^s;d!w`EUp`Aprm(IiK%qk(+v6VFAHzKF|J?kJa#aTUS_YS(=0aF01rB{q
zt5Lh1F}##m6RmdRZa;BXWst;(kcf=O!O)$2!39JG@(+bk;l}Fm%b?+bq0<+6e2WsJ
z{xF63MDLKH&^2yr#Xv-4CWvk>;&p|(w{N^1&j`T_om(*W&$Z8<DWz`~CE8%+p;)ic
zpwQ=~onZ#dlw!g8mZNWWV6WWmOn7Mq8Ofeo@%we8-j_KEx6CT9coLsElR_t|?4>#-
zsC+c4jF%YqqCh}&=Yosq{DWr*ohajloWOT$Cg&w=2uJwp!%8`H$3Ehs!-;gS^LA4P
zSi)Q0e+vPiTbFZPkY!CHp})t*hLl8AJ*?Q2TC#mcnGIlJZlEaIqDBWX5%B&@Zg@ki
z2o437=3P{~cr0}QUmB)Jgm<Z}JXEgaGWBI?f#4v+WG{UD14%BbeV*sV@SD7d46ch=
z{^yhwiQoAPh>+;c#p06}G{}J6;G?nql=CuZdpF&y66~W>2>k(hd#fdzk-~3`*cqUB
z7Tz{691fD4bJO2QfIJXW#&>WhKF6M7?k7L1yd{UcdA*;DNrK61MAKOZT_C?WH{MiK
zV4o4tW*t!3!BbArlpJ{Nq82@3Q_yF{+TBlWH@berlIc0m;_!D>_L`plkyb3Y7;yOm
z(he)Hh1|kh4BY^L7ZX`Yo&<sIfjMcief1j1hlCiM4sEQ_LGs?qaQXktN{H|cr$Dc1
zt+W%TWx6dy6lZXA>SyHKbyF<=iLP5HHxvYRmUrcy1T+(H6>vuI>P3R2d=vhP;jh4H
zAPEse7)gkf{WJrZImq`X%}H1zavGZW^Dz7k2>w>=kb-}R*u`IB2_yfzD3j5r3y3Ql
zWS}1(ofFdDrZMCL^J57#vD_82u$62C@R`1dqu4qUA~I-D`Aus7EEL%Bwz8suMhhOe
z6<=+Pr}Sc-69Cbe;~HWVR0OO&U^?!9yQ)sb6tuQ9c&3mj08X-Q%Ll5_XEB@WW1=^&
zpC2aWx?0A>6bOsTc{T=Thyz7*cnFnjGlc?p#Xw>V7!5p?X)7F};t-(%AJ&UOC~Q0Q
ztPJsWq31GXa?xmcS*{qc&=_!zq$z>A$QOHCVuE(vw(D1Huqa^VThTJ%sZ+<NLzfw=
z@p!T0f)z`fOQ5h>Ec=4mcc})`ET<PbFH8b~VZ-_EOnm;`uYU|o4Y?~!#XzDirBVE+
z{+jNu0VH8};pDq)?!b|0eoUhDIGM)^djU$yT=IHHPS?%kT?)$nkvvBKS7=k&1RWBB
zDLF1T`3(w3#pLCOG-*_^KA^=+Zhw@8PY+)v;XeTBSTw4yl3+^OMTNBmuogjgN>{A7
z{jksl|2$KX*N!57j*yj}ssG@DcHo!e54)Rg?eIRbrchK5f3=_^NM$%FZA2fa=21RG
zk%u!ZwyA6YU{u^XXfquDP?~re>>>*4`bn0)tQKBGVgfYhsLVi`!W6Q7VroQrU^uSG
z?wKMD6uIUuOTBBY4-m-A`I8d1UDI@on-$z;*>UcZRE*3dIqBPEOaFF&447f|O+9FY
zWppaDT{ynD4L1x?7LsE_3_A*8jcwok+{JD;i@V)gP*)j82de!Hv~|UWwMb|WBwGBm
zZ4taPbj6BrNJLy<H=|rR2u$Pd>}<XXU_!^Qfna|640NPnMJrK|!-rQnKA;81+F&u{
zdac&sMm&F1hc${O>>SgGi_uqb3A$ektP_k4yKQwWkl+c{vV!4Xr%Dn+kwe`G;Hil(
zBKGWjgFXO*@;|g`jkm#)9&lUUpMGx~otc+bJN6~VpH--3->6hAg=Pprec{vg>mC!A
z)0M_R2rDv^=GF!$tCAY($AjS<2C<SlEuAG7b5=8AAl9R9KXAS#HfwjZXm{iXR}J6P
zs3J>>gSvKawEFJ3nK|xiX*ftT`FetLrbgVq!Bf8~F>ESotb8RpKsGOjI!3NLg&hLy
zx#D^x!_dXoZ{C6_3*tAa%0uWGaj<~pR_~2jOB(IPoGho0QvcTnI&5G+j8@Dq&PXle
zkD+UByeO^X-}=<stg!MyfeeArYd|+pBsq6?aG&jR@+1Ow3)r>17_luWg{(D{=J|lR
z1uE3OZ=`G;!344zOf_Th6KEXxdap`N3SdSeA$92D(fHQ#^;bQnk`<NUw6q|FqrL`U
zf9nRcHo^g<@U%jrI|JXbfZY9$yu`F_LtGpP*o-n09<zh$G{n1b^c{X*X<TalB7E<$
z&B0@k>J7+%a4i8XU+BBfvLB3mk%2v}%eTe+y@`xQ^AwXrB{s_iH2$z+2t|DGhV728
zwLFWVZSvu0z?PIG94RPB4&($ZEF$aaJ!@exwSdj<Z|@i+zjK80D-tj+tGNY?8Yclq
zb=RYp#=g)bpyBC_{A!%b&p^Rh<X=vGw1w#MnX|jz;xFRxxSB&CqM*-~SR`6UWZFk$
zjmKTji!V`HUEusvjJaT!HzM#&JpdRZy-Ad@04gRJuu@;-|E9cjI`g*W&zmwv1Uwwb
zH&oE!PqM?$g%~Q6NrL7B@dYz{745cMcS68Es1JAj@&Ht2cP<d%oz!fRBrR|NTnPJF
zfJ1I)gA>RxmIIaHV$qee&9G+bD|3NB@mu}+6JYDc!1s=?v`Y0E0IK*eVv~dv1%aCJ
zRH6g4g+Hc~^H!Z$mqX}+1K#ieJOCz5Q*vYwClGWZ#<q1L=HN+h5L_&98a7B10ARj!
zaBkzAH<V*NQ<!-!MuiKU)!2SCq*tsh#8!<Y;-pT^q=%;l+$LYi2P;n>N)<2(WFxgq
zb@XV@Mi9*U<t^fxn-#_cGPih5q$;vm_VY89pp2ho0l_gS6Vp(0OhN02WX|9h?4bYq
z@=0~l#r$CM&JsxiXglR+;<Aog4eOlB8Hv9rEwI7;M^x+4Vnm%8`2J4ox{G8Rm<^V8
z+j6g780|VyJr4-^Fs^Dri>o!zg+tO(%w2gd&J~!C)20(9On)E(pB20v4@w#MxjDb+
zMA6^JG7!f`h|2<}>wY|PFoiiwpiK+KV2pL}8W=cLzLiG5)1wDKMg>RF`-fL(1%a^u
zgs*ad$fNx%<xqyFx=R-%1ROAZ-5sD3-CgDxeFK0(BG3B)7(Mu7iYabqj}f2)&kOlw
zbg@4$Ks$+Y9J{dcE#CuRS8=c*A@=9>%UZ4buNJzn0mi7qCA_9L!B^%3ASgi`uML(X
zHi-gOHf=q%v@O9Fufadk|N23VD662T_gMKO<>LyI8?nq^%t~_igX94DH+vCvkI43!
z9T^8WwluC2#t-7|Bia6Wo@n7$#*=eMqlO49lS5R%I&*;TMFD#P@$tO-Y)-f#rkK<C
zz!y&roE+1*Q1s{Z1;9SC-tOm11R7s2U(%R-4LzFU?*sZcPSv=~=xc$5EFHPdUk_)|
zO?<8XSkd>%gvb&VZ)1C7k8OGaQ@Z^3(rU#WJNq~$fVfiH!kx?GG4Fy{YeEzY1sga1
zF54_m$EqgR;ANb~Zn}B7XKFqe`Gq4c`d3T%*E`Oj-Hcc%nq<3|xIC;(){Z`ZigIfZ
z^6Mj{ktKnnY#VaTA&M;)`MK}sliW9LEH!+X1Rn@2s4;#d*7*V&y<5|8uNndA58OG9
zQ@}%;;?&mBEyav#tc76kflwsjls*Qb($g9JQG6VcK?b3IyKXy)?fH=hm5<}l7CZ}(
z_D}TJ6#eViZj0SMnNxf3aF^o=V~oJxdqHLwJ6A+|W4zqwywe-j780BEG}tIk-;>y1
zy3AK<%PB*gdkG^jm$~spm6liAou*<~Y%Qgw{&qW#w?AoRj5u)+=ys$8O}I3Ellzcb
z%*;WY!YRXWu&J3QZU{V}+MhCTayAAm_Wt~04d@~)nu?X$9cK+#D(e~u2>Fdpkf;3_
zCkNu9Bv8iTwM-|`WFQNxy0WX+P<wc3Zixhh%0QaD-{i(@iKD3zN!Q!jT-Og0_AfAe
z<~K&{7=tc8IiVtca}Jb!j|eR05|ri)LndZpbJG#!U{wn`nq6k_N*IBSqcGUyo4PVa
zcldm<X$UuuX*ZZ8h|>H9kYZ_8@@`VLjg_+4o;RapeklABf&3bl^JpL@Hbo*VolkO3
zy$oC*e8y9t_}G6XVuv8*vjG7Q4{878$9m`K(gO`u@B~D4Rxw53uaBL;{5SF6JB1TJ
zb-uEo=(6bVZcn@2YFW(w{Rf}gj|&Kt<HGhqnUr__6ET64rGQOl;56ulkJ16rC$X`o
zX}}3X8nUfsyM9-<k!=Z{D!g(8qXD{$ZbH<D<@LN;&acSNub`3hIt^M$y)fSc<CRN3
zD_V?z8eUF9c08pPcg7!lR48MGHj9(|8{!bR+i`fqfP=DjTZLM0|4=6k6ct&B#p`|@
zT44l9Kt*iRRl$It<6pcPfR$I>!ifkn=AU5=7+|f?ma*gwF|+-a#I9MOD2E2BWzq{k
z31g%Z&PXly<Y^e9DAl{<r~|~RpEnd0giB7qqvY+fl;))*VK4D8Z#rEDwbTPQSut=u
z-%2rse=UF!2*d%Seu^>!4kHz^q`w<LfO6oH1k&r~9TLvMqGmPJkS-lW868$(2Kr|e
z^n(V}9*iy&UM)6rv^%YXlEQPE3)K(G-%C*8c6U-34iT~F;kI9}Zm-kuTFR+S@x0W+
z$g;KgV_VID0RODSaF7rC#&7<({!!e=iu?M`AII{ih3$`EF58l46Tpn3{u=Rh`-NtN
zSf_F(SEFG>AQY)4Sp%3;SWY=D;i~7B)9+f}eBgDR;>jsmi5MegFY^2Pi6yIw;kkP-
zGq5Bwev|fR$h_4fWz)Jp!h_kD`8On2bm6H#>siAzdUg5ap@RlxTM%hxX${s9nWZ*t
zaGt}$&z>3uSUXU3g*dUrO_uglgnuD|JYT`0P(*qiX&{iaiB`1m#-l3eSten{RsSJX
zp+PAr>W?{$?ew$y>Mf~)+{x055$C7Pz_fYRdJav#ElW7rVM8A5oQ*9UNu@}BQ9DcZ
zWu!^xGMBs}Lk2DjIN7)&Hs5LDx9jH}6<teXOcA<6->3Oa-bY1_ktP?GCgEdq!dL-;
zU*?}#y@?iDH%@eBFGN^t!vus5gI7BVT<kZO=xlnwFF1#6zCOx;l8H@odz_9;o=TXY
z!OfP1@(m%uFazgz%14VgKNjyF<TGi|roJJPbF-<NXIY)QRuy%)_qHUX>^<KWLhkVQ
zF*ABw>y|Psb2&aP2<CYv<nqB-49>H2<M*bcqw(jUS;^pVv?(bX69>BVz`>HGvfqP1
zP{XKN?vAH^|9y~XoX}5WAwt1O6{adXL@A{NBu^nx-#vZb^FJ<Z6qZhbUTSfRQ*@c8
z<a&)Hc=GVn>4fo_YR`@H1N7*whB&X>>HpqP`BdnH0fZKdVtmi$WNCw=Rq~3=tS8|7
zwd9$a&vU_<lmxw=mXW5aB75N&T%8c#9--$;A25Wmln+-YvAzS*6wDi*eZfzGh&3?_
z#1#!(mC&+I2kCWNt`95p*5C!;ng<Mw-|$@s_w#L0f8cg3&^`<>l>-0!_X)Ut_0LC`
z|2+Ns@!zNaeEfe`?7ubt*V^BX{KxL!rvA6ZL^)GpLyFtnPS!rZ&_lwac;|Ef<$imz
zP(h<y)8VMyz|zjH2<^qk4Ox}<?~}Q=PS*R9+4NdI{uZ|!PGo*R&UraCH`nC*gjKj+
zfM<3;q^sHLa?s*zZAlzrEqb`TxI=<hLu;(Eu=w8GMRb-w%B1tccP%tC4+?(NFCXZQ
zj5d_NKRurs3vuOqIFbT2*{=pg8*@!MOnOf}>7&m_kuP>9O-N$Xjfp&cx2`(Ke!Swu
zcRjeZLyQbP@MqFjk?G?T@)6ya_4E{^5iCekRtymG%*s!UD=fl$EIiMA&5VI?QfisR
zGjqu`O)lu70S+-QX4lV+lez?f=e*}zo8p6NV>&v7v4EZTD5*AI7*QITsB^axsI{V`
zL)|Qk2AY+tYtv7hqih_($z|`DlZx+;4<gg2T!!YWp^<pZ(mJ2%UZ^cyl~=fw6HaGk
z<y*Cc=P>0O+nT`{Cg3f&Ru)ZaV23&!s**M_U{8M`j_nd_^m0yH2q!|aWV_q?j?&O9
zx+;eMnoWqn894TV+1n@jhfDuJD31s5=zoRu|4bFpv{W%X#jWd;b-R;V0Ho`OWi`49
z<H(Anq(J{%hKMblY0^PDQAep`NKI2*=J~}%roa^6Nwz{V8-RA>0rbn(R#BlsGRcD)
zYu&(Ta}4wQnu#p)vfFxI5hj0aZ~cSSCy5&_Rayl_MbEq4NK#7G8Xivkw}OHUSjedv
zSi)b8mRlM;W{i(kl3QC_BYnb=mZdPmU`rvz8e4vv-)73*%Wx5Q!z-j`^Q(GM99dOO
zhEkKB+AwRd7}OXCV%*}imrcxEfTM%7wM|30qtNdx7Gx0PBMP&!C~k^f9o`Zvb519-
zXw`mDYGu2UMI2jc&qTs>QhH3nAmuGV*SlG6T0K165n#eH*csS#T<YaMz*9Ul-qCeu
za({OuKWXPFJwKO7p}8O02lKJmwtM7d97&%;x%bzR^rn)8o}`l+>p8H|wA0yEg;{V8
zdMmkLqx)6i@IZ04PtpDpE_AVe=MAgU?-SP3+r=jPvbS#v=n93@I}}J9YqcDdqS3uC
z;xZ=fP7kkE?g;Rv)F~t=q}wQaZqKGH*=yf&%1EN^%|3h{j1CQ;^DS}<<8&*)Bk1gR
zrrVT2uh^H8!6LifG3^{DI)!jn794#?XC)Tk+#HHBPpwWwl&=14zOd)4M~CBf!Is5I
zG+S|3d(V{yOKhXqf|<Q|gj{;yzc6v46irM`-fTYRNHJ^F7nMmt>9gv6HOR?#{~@G_
zaL^0;_Z(XZ=Xtj8W8i>(8+-SL?ayN#OV~&W@dEEtY4MlT`l~YRB~|T>opooM-)!l~
z8J3GD=;8)y&BxHX_B&SkJdeAAnT3M9a)z%MN4w9-Svo_A=j(TLJd(Ah_<Fw&2S!E7
zcnw(j!4gkqeJ#=-hK`iYlq1o}A$i`VpZYRK!Vpuch&+^EZHKF(*^4n%C^4inv7T8C
znhT$gQw9=09Nyy)%;ou>`Wqujff~HhT2GULE?kOn!`foolDU0S8sl=y${Y%yW-mkb
zpbARMeeoy6hJ}0Wym5r_Z+Ok9Wd*;Gx!Fa3NmT+<sF8pj+H-%39U|?f=_cMXo1!IX
zAm}*r(D;}7UdgpI??yX2JF8zi7wUl=Y$T#y5pdz3>J;4(b9OnQ<PLw10gg0Mhg~AK
z+-eK!yuuK%BjjaXe*W^&+KuM5cHZ*u^l<{>vJRiJ;^N{oEq?w16Cde(N~&x^p8`1r
z#4}oa5iL)Z=0k|=)#21oig|fv^*q7!B;2M}kAubz9=?)G%69qNrv|Sfd>-`^F0W9H
zm+nb7TxJtF%WRA9q`YrKkT&(WE4h|>QQo!4@7jG_UT5<zwflXY)_7X)O{eIleOh8v
zKknq21Sj8U;kCEkr;_rqSezFa9HkyJhv)r^$Xj!ZS1*&n_A^ApJ>!?o)k27G+&c=`
zB8LAw<UQQ^S{$;7-d`Kmsoz;ka}b%LzvQf&j36XAjzG1V$)6f9Jx&UIrE}z(%UJhT
zJ~m#}$oRbg!q+`W=W@l@7X=Dn9!vtQ3lcp9#BnLD4XOMhyfiE0WPMjIVe3V(nJS1N
zTA4w!##jo|iORpUQu8$4C%VtL#)(*LxQx9g%m+4iFM%zs_nhwislLj)8m_hA1pE3n
zAtiVd>XJv0$lJ_cE1sSHLNg`MFp*|+74*xADw}cFL=CrzKIK-`O*zZqQDw?jo*El_
z`aGcvM4(njaL8)@)aB*n7y7PRydJb=Y8wXx@|PHX@-1AYYqtIOyZc`ATN7pj)aoay
zCK+g#O~v&Q>MAJ}(*Ye(%8s4QQNYb-VTEE^m5DVsWm=~6>-4TJu{Y8_$?|s65^W{5
zP5@by0$)9l8VYP~RoGZrrCpOImVYsmQND&SO&nh?E;CuGcvYAcSAYEd9nf1kc5{xO
zSzW1I-bv;^G;E~d)jP?r8qygMwWkw83PNYGD{y;IEsr4Z>a-)t3T#2wT}Yi8jAIIZ
z+<erejCc^fhJF0vSANz<k4a5|7n|q<UvVGKWSN-rd*&uu@4evtN%TwPf9w~lCw@D!
zEL$vCJ5Nx89&9n9Z=Ixwez0?NjAvf_Oq9kn5|U#jEgiRd=6A5zL`O$cr@B<$mY61<
zpn_gfC2*vFdd4xh_UYE+-O-l;V*|;~9@F>otJ;T!m_^bubCr5JmP(BA-$zPI9mJ@z
zp?1V(po4`AJ^O5Rij@OFspU8}-ukXz9|YJQEVJ1>*S_4?$|drZCa4$Tp4w0h`Kh6N
zDJ13fs;E0NYj+*-zM;0BtxuluY`PB${SXnMn33B8JKK@L>F{a(Jbs|r^=LIz*PWm6
zl&jT6NZlE2F4>ggT}i3=q)gZ*lI~)Kupvt)SI%XJ$^d0F`NCvqugNJ_N28I4N0ilx
z)P{oV{?DS*nNzMw*Im-+ux5~#r62b+kUGTsCM_d7^!?5f8oP1sD#PS5=*WB*ARph-
z3K#Yu><(tSPf1|Fk5?OLNos?o0sOVweKZ06N#%KoZJb-bte24yreWiugkrCp!Jlj9
zam};^ULe-+mOYRbkT*RKQ&&4jUbd3*fp3seXdQSfr$@64ORTUukP_PqVa)sW*0w{L
zto<NP5&pu=?_F+{JXT>EwR$6xDV3$b*{4?a$`6tt=e4UpkQOdRF^sKg2x9#zCyTM`
z^n-j;siQ0pf$yyS*DtpiucI02$!c_ckg9)bIKN*v4vksf&N{pCmhFKpvTj#PL+)87
za#lT|yKh!o${-y3rsssX&|C6a?{Mqm^@oJ0yOpcQ+4rt{wg3@HeWI0TnsU_?f4v1`
z319PE_@ErwG&WUX8d4L?*`g?=(kg@*BJ6nSHCAremR#voa~@gG`DmRm{BX_gkLVZm
zbELc>xLBQRSi;iv{K={!;62<gTH4~He(v#*#b{yQ`&!Nsq~@1D1u#yFf`$TCNonLW
zL-a6N4`LO5a>1buqTmK0xU$w?&O)haU{3kIg~V8$;ObL>!yxZtPk6v!d-c1Ni}&{f
z$H_w4+JuNn@eS5<R$6pJI<Fs1Q))X7KY<9>PMs&~3cnW8wGa{*MHvFJ&I}Q{7J8eg
zDn+Gc5$xnFYmy5zRF^^<hrY_0m_c#Tf!2tSCoF`7#7=KaXrX1UU=n12*v}w)HuxR#
zXgNTb`HTe5ud6@PN3p^QW&?3_6JDynNR<vR#0cUj{*Z1OQ`a7;L89EEze&Y>XU@2t
z)z(gi)lS0^oAF!C2lHi-3Ph-G->WqGd8XU!1Ru2?zoGg(C%XFxYWw1=?3_(?EbL2|
z_QqJvEr<yXxZH!gl%uh4+1=gBSR8nGczDeGN~=tL@C1J-P1J0S_S{dP;$zt7oL#->
zte<V};de){oS!XGKD;2hSZ3I1;1I{P$1PLav9U!ET@u9N&EOAdk*S`@4BR2)uf-}-
zJTuK~D-Z+y*l0LWegRKNTK;QMcQ?1+OyFaVg8e+C3DerZAba%-IJ6<I3(J}ypx)N4
z@2h+_#|X}}8x=NV^ZEHXd}SSd9d~t3((Vokqc~d?P5v7+nKtv$bA-cIN%Ly|>3BUc
zb(I%rgt$4V!GsZn+=QtE-&635zvR`$$XnIjEYxBiCwAh0>#=yJ{OODwPSgc~=VK9@
z-<MJzAhDG`R<|ReB9Wa&01n8aJ32Z>N0WDaj)!(<5T|l+J_7r6^l@|gi`flJpRlu>
z_h!=sS&r3D5n!+(;m3(t*ql;@;`UvrDy7wyQzivc(@nDm;xsV+B#eF0lnh>!Ocjzs
zkAQlqSiU>LCr`xMkgpf!(X&$FmFdT~{2I&@9yEXnt%_U%=E0QM#q(c7)b>Arsk5|0
z9<CW3`lp%wG$`7Y$TD{u5Yu^q?KT*Ap6VMNYRt!O-^+`OgP%3v6GZ>?3)|Bwi6opk
zc`}wBd_Uw|TeXFi4v+O-nXfoV$fe5ZUrqWNqoVAY^dn*kY+YUXJS7Ljx!Gw_?Wcmv
zj~t9%B^I2a1847^Lw2Yn%)!sg#x$nG)+7B3asgE^wGXh$6l0C9`uXJrQVY7C0tRJM
z9MyFEHeDqLn2_JGC|Vl$eX$`bW{6gC=~G*7t!}FPc<G@K_JqkRZ*O^jd5D*IyQU~e
zqQ>aQ+%$uTdLeaPzhNO)0g1F<j<l#kxD^c+Cg!9rvK2lzAD^q!b-y)@zt#8UA?2ta
zcns7`qCq%ss>ef1j(%#+?lpj%$i*U~E-zgS<ZKls8O+R8q?es7?CkR7D%O5=1%!zZ
zpWdh2qF-G2tre`t!TFPrr}GLG`ON7^Zvz56cL$@VCo=L~O%c7YWmNsGgsqj@E~Ax$
z_4YwitHf1i>G&EJw4u&QdhPHqz^FsE#RSM*pHt;K^Rq2hAi<w_M7DA#WYhgq7A0f8
zJ;X$j&3=YsGxxqgueGJDd?G-gZI@x3Vo@thS~9D;wKW~(T_Aw$OU1HozfyKGX7VE_
zQd*$Hn>yMOg$9-OTD{eYlaYZsxrmu56%m@+!S6(3tYZOKb|8`X*PAq68tWgia@0<L
zta0^z64YQh-5Sw(I2;<Fg<M$)r75?kOTJ6_HWeIso@wx2!e=O1s&ZOpmzl}nHd6~&
zIaglCe}2JKNW-*j_j+Kr?i|ivJ4-2@0{ry*5O)UBB@_Bu70QtH6PgFDboTs{D-z~_
zK(E5ATz0$m(_2ua(zT}uEOMNLLMhCo!xHPpx)w1+>As4ud4uv^apJQhkLE*<(A$#c
zW~~XzPmUJBzTh2BcdZ>k_to>j#|q8gG}jVa{;S^FmO@AR*m&JrZR{URx7B;F%XOMG
zyoV3w&-~FXqJO-f^D5DyPCd?3tJSE4lqd+xQ>YN?^X}JwozHJ+@$mo_|0k6!^iygM
z@m~IymopS)louM#2t1l<20Kxem6ZeQVvo}LrU28`KypfNrSz3<l^@+Aj9eYZl1Xbk
zF078Uiuijr%B0ZvY;QIEbT3c8aVl+u(@STP-cpfo57{?nsI@$~IQMC{sF6r+p0>B5
z6rT<(FC#T`M&%^Q*c3)!NlmfG&+=4dF;^6JM8w`#qkG^m#qJK2ao>2>AQQ4hcZ(z<
z5iV=j6?ylBZBjcQ?#C6AlePVvay$np^&sp5UCNrnPdrjHARDT?I6t@fSuN&Z$*jUW
z#u6p2HMgiIz{AH^n4{_6I`ir~&0%;1-;Q8Y=u)ZUqy;AtT)9ZwqE?5(vN=J(%7nwx
zkDiQ2>C@ptk<CQWjs;zWYt5L;^9C?o<0e3T>$%E`>4M21PTJ{qm%|OJ68$1w`t)1<
z_>_wV>&|_nhX>3nIhR~Pu{S)_;v_%vOSM%j9Sv6Lc6~Pb33upgF7j@blzMKz9=4bp
zlY;ie8If<kgnikcKNGhq#TqcgOPwI77x=BJo`rMJ(P&GrJB%`8Z>ja?kW?ihJ<(Ud
z^RnF7G&_P!E1{VF;)^2TNtoA7dEw4DjS^Fx;c3yyuV040{>X}gm@&sI*(fbNvwd#o
zfqjxQY)Eg6fh2po@3%zhPOc|66xPxsyO-B39T_-~yiGlf5Y>xK$4SV7$_m{#_d0H9
zS^2BZ<v9Vi=?}-5-UrB`k(VjkwdnF)?m7t}@=&q?o1dZ;;5`u8!Afx>PE4)f;N;eu
zEMwzU>}lN@gcx?D*~Ml3)+E^N7gB}z%Y_@QfkR+|!i4M-^+-*@U9FGt{#D<#NScp2
zJO>sda+p#P4dl**Fju<I>-b89MP?S6H18Rt=dn2rrk6nm<Q1883P}a!CuSJf-siPm
zmTgfu{%J4o=|`?A<+qp{jH+WZF~j$*edOa07cQ1HDV%{#3H~kc&l;2Ts_fMcZylC(
zjkj!xu^626`Ago3^9({1N3%lyX|xLpf6{(zQD2x5x=Tt~_Kkn1{&^oU^hV`RJDOv-
z_zptn?rU%I2MUQ6Gf|IMBudWSTCBom{clkLwa0%k4CmU$qDHW-KZ7BP_h>ReE40NV
zukNVPfCIVY*pzTN@EGh4@4rWH)Q=60l?fY`42!0Vw#t>#uoQBwxA49G=AxT*<GFgb
z2;4O}m16p#c;YTD+?W@0-Jmx~RMaly?r`$!2WiIZbk&+X=~)DIhdug_nlWqi1?jB}
z#!spmq{ig*!qryb5=FmK`x;<}#HE!?T8SY|{KMBBE`hn!Y8P)X&sgDNC*9L}E6G)v
zM3hz2mHMZvFJvavTuhuX;I9pvdwp%iag{tjObgy@Dq)bzl|)k}5+(Sc2-p&&Ph=@Q
zwg5Y6n#?6<+hZa=_uWu%aa)CLil8~)vJ=?#s>|T%c8)@%&i%|}PT#X)?N++iSY>Pi
z_`@;#d+c#vMer@};GT-Ufs6CQ^t#FB`_f7=BqXHvvn;Q>Mc?0pp)ZTry?4SHlrxZ1
z+XnQG8|v%7G^HFi7eyc)T<mX{J#DBwYI@9XiPD~QwYIdpYtrFu`9%FgdZ9Eo_mycB
z=}mp-{m|1zAiJ0FM*L8`*W+0>(I&rVqlzaR2Qe-+$LizdI`jKVNE4G?5|(}0>9-eH
zU&v}WK~D#(D`$4UMV`(?Fh0E0qm=q!@e<5cNC&JZ*eIDF3Qy0Baobtrj)7l@7wP_{
zy%<4X;y~87B~_Z<+^QB+!R_j1u2iG}>_;-wt;OMNxkmR?+++VrYSH<iTy8Wk6(^&I
ze1TtdT9imqx3680u+qr&?c(Dbx!oNY@83m&nAvr$39p?m78<PMaSI;q&)6aII;t)(
zUx<UBOT2m^cdM)rRjr2Hy=#cIW2?SYv3^WSfb)}$kI1Bdhw4a&$G}yqfD-8JPR-95
zTo}~`VhKAxGX;=i;u(K9`BI187-FVZ51z_?1~uuSu$p1rS|*oE*u%4SUhK}Ov$nqM
z+fkSFlJlAGEx#?YWBX*8U3#=eFK{|KSAx*w?&%RVX!Ya0z7JnrcNoD?yxUlV4LRHq
z>@WIPZ{3a!)vNlIE}5CkTFi8bW1`N|J3TC8jo%8n_s8I^Ry=SlFUGjey;PuErGDU9
z#+bBd)m_T)pB(Co&IV;*Y8P3}uc4mm=Z%xZtE=y_xcf}ll);_iQI*7F{ONYd9)5j5
zuY<TL`P-B4T0dF4mC>~LNIlFlrC+!7(UP-zDcZ`)3YQL(BMYt*ddD_(g}W)IYeF;x
zTM!Y+Wqv!@c)Zbfwm3a|oBSEcZx7d!IGDtsxIWT%f~GyzbKJt1#;8^u<z2c>wchSj
zmyq?`VoD*CJwv_Ds9XA*&FB4nL#~GZpX~Mjdl2yN)4!X`|33ZaRO7!D`+t0Jk#zQi
b@De7I#y$B+K`s->ZDHi3lqD<04gLQIwmU4q

literal 0
HcmV?d00001


From f065893f52b3de19699a71d8a1b1d70da6246561 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 20 Apr 2018 13:05:30 +0100
Subject: [PATCH 10/28] Add logo to readme

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1c1369d..10ad8ef 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,9 @@
 [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
 [![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
 
-# kube-bench
+# kube-bench 
+
+<img src="images/kube-bench.png" width="200">
 
 The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
 

From cb4bec9120568e4aca4e9fb00de73eba078599d3 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 20 Apr 2018 13:07:49 +0100
Subject: [PATCH 11/28] logo instead of heading

---
 README.md | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 10ad8ef..8044422 100644
--- a/README.md
+++ b/README.md
@@ -3,11 +3,9 @@
 [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
 [![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
 
-# kube-bench 
+<img src="images/kube-bench.png" width="200" alt="kube-bench logo">
 
-<img src="images/kube-bench.png" width="200">
-
-The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
+kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
 
 Tests are configured with YAML files, making this tool easy to update as test specifications evolve. 
 

From 033245f71c05263f8e8c938563d45f62ff5f3a5a Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 20 Apr 2018 13:18:55 +0100
Subject: [PATCH 12/28] logo in svg format

---
 images/kube-bench.svg | 121 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)
 create mode 100644 images/kube-bench.svg

diff --git a/images/kube-bench.svg b/images/kube-bench.svg
new file mode 100644
index 0000000..ba64a9e
--- /dev/null
+++ b/images/kube-bench.svg
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   viewBox="0 0 831.49597 755.90533"
+   height="755.90533"
+   width="831.49597"
+   xml:space="preserve"
+   id="svg2"
+   version="1.1"><metadata
+     id="metadata8"><rdf:RDF><cc:Work
+         rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" /></cc:Work></rdf:RDF></metadata><defs
+     id="defs6"><clipPath
+       id="clipPath22"
+       clipPathUnits="userSpaceOnUse"><path
+         id="path20"
+         d="M 0,566.929 H 623.622 V 0 H 0 Z" /></clipPath></defs><g
+     transform="matrix(1.3333333,0,0,-1.3333333,0,755.90533)"
+     id="g10"><g
+       transform="translate(314.8111,521.959)"
+       id="g12"><path
+         id="path14"
+         style="fill:#0ab1d5;fill-opacity:1;fill-rule:nonzero;stroke:none"
+         d="M 0,0 -106.784,-145.31 0,-280.384 105.477,-147.025 Z" /></g><g
+       id="g16"><g
+         clip-path="url(#clipPath22)"
+         id="g18"><g
+           transform="translate(51.8912,72.061)"
+           id="g24"><path
+             id="path26"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 v 71.061 c 0,3.629 2.86,6.6 6.6,6.6 3.74,0 6.6,-2.971 6.6,-6.6 V 32.45 h 2.97 c 1.32,0 2.42,0.551 3.52,1.981 L 33.44,52.69 c 1.43,1.981 3.081,3.3 5.72,3.3 3.63,0 6.271,-2.969 6.271,-6.599 0,-1.87 -0.881,-3.411 -1.981,-4.731 L 29.59,27.5 44.44,3.96 C 45.32,2.641 45.76,1.21 45.76,0 c 0,-3.63 -2.97,-6.6 -6.6,-6.6 -2.309,0 -4.4,1.54 -5.5,3.411 L 19.8,19.25 c -0.88,1.431 -1.98,2.091 -3.52,2.091 H 13.2 L 13.2,0 C 13.2,-3.63 10.34,-6.6 6.6,-6.6 2.86,-6.6 0,-3.63 0,0" /></g><g
+           transform="translate(104.9547,86.8013)"
+           id="g28"><path
+             id="path30"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 v 34.65 c 0,3.63 2.97,6.6 6.6,6.6 3.629,0 6.6,-2.97 6.6,-6.6 V 2.86 c 0,-8.47 3.409,-11.44 9.57,-11.44 4.73,0 9.24,2.86 11.33,4.95 v 38.28 c 0,3.63 2.97,6.6 6.6,6.6 3.63,0 6.6,-2.97 6.6,-6.6 v -50.16 c 0,-3.3 -2.53,-5.83 -5.72,-5.83 -2.97,0 -5.06,2.09 -5.72,4.95 l -0.55,2.42 C 32.12,-17.16 26.18,-21.34 18.149,-21.34 5.06,-21.34 0,-11.99 0,0" /></g><g
+           transform="translate(197.5084,90.4312)"
+           id="g32"><path
+             id="path34"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 v 12.65 c 0,8.47 -2.971,12.54 -10.341,12.54 -4.069,0 -8.029,-2.2 -10.559,-4.839 V -7.59 c 2.53,-2.639 6.49,-4.95 10.559,-4.95 C -2.971,-12.54 0,-8.47 0,0 m -34.101,-19.14 v 71.83 c 0,3.63 2.861,6.601 6.6,6.601 3.74,0 6.601,-2.971 6.601,-6.601 V 31.57 c 3.08,3.191 8.359,6.05 14.299,6.05 13.09,0 19.8,-8.8 19.8,-23.54 V -1.319 c 0,-14.741 -6.819,-23.651 -20.13,-23.651 -6.16,0 -11.88,2.97 -14.96,6.491 l -0.66,-2.201 c -0.769,-2.53 -3.08,-4.29 -5.72,-4.29 -3.299,0 -5.83,2.75 -5.83,5.83" /></g><g
+           transform="translate(251.7047,102.311)"
+           id="g36"><path
+             id="path38"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c 0,9.57 -1.87,14.301 -9.9,14.301 -7.92,0 -9.9,-4.181 -9.9,-14.301 z M -33,-15.069 V 2.2 c 0,14.521 7.479,23.54 23.1,23.54 15.95,0 22.77,-8.689 22.77,-23.54 v -7.37 c 0,-2.859 -2.309,-5.17 -5.17,-5.17 h -27.5 v -5.939 c 0,-4.62 2.86,-9.13 10.89,-9.13 5.72,0 8.8,0.88 13.09,2.97 0.66,0.33 1.54,0.66 2.42,0.66 2.97,0 5.39,-2.42 5.39,-5.391 0,-2.309 -1.429,-3.96 -3.52,-5.17 -5.17,-2.97 -10.23,-4.51 -17.93,-4.51 -15.73,0 -23.54,8.25 -23.54,21.781" /></g><g
+           transform="translate(271.7564,99.4517)"
+           id="g40"><path
+             id="path42"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c 0,3.3 2.53,5.83 5.721,5.83 h 19.91 c 3.3,0 5.83,-2.53 5.83,-5.83 0,-3.19 -2.53,-5.72 -5.83,-5.72 H 5.721 C 2.53,-5.72 0,-3.19 0,0" /></g><g
+           transform="translate(345.776,90.4312)"
+           id="g44"><path
+             id="path46"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 v 12.65 c 0,8.47 -2.971,12.54 -10.341,12.54 -4.069,0 -8.029,-2.2 -10.559,-4.839 V -7.59 c 2.53,-2.639 6.49,-4.95 10.559,-4.95 C -2.971,-12.54 0,-8.47 0,0 m -34.101,-19.14 v 71.83 c 0,3.63 2.861,6.601 6.6,6.601 3.74,0 6.601,-2.971 6.601,-6.601 V 31.57 c 3.08,3.191 8.359,6.05 14.299,6.05 13.09,0 19.8,-8.8 19.8,-23.54 V -1.319 c 0,-14.741 -6.819,-23.651 -20.13,-23.651 -6.16,0 -11.88,2.97 -14.96,6.491 l -0.66,-2.201 c -0.769,-2.53 -3.08,-4.29 -5.72,-4.29 -3.299,0 -5.83,2.75 -5.83,5.83" /></g><g
+           transform="translate(399.9723,102.311)"
+           id="g48"><path
+             id="path50"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c 0,9.57 -1.87,14.301 -9.9,14.301 -7.92,0 -9.9,-4.181 -9.9,-14.301 z M -33,-15.069 V 2.2 c 0,14.521 7.479,23.54 23.1,23.54 15.95,0 22.77,-8.689 22.77,-23.54 v -7.37 c 0,-2.859 -2.309,-5.17 -5.17,-5.17 h -27.5 v -5.939 c 0,-4.62 2.86,-9.13 10.89,-9.13 5.72,0 8.8,0.88 13.09,2.97 0.66,0.33 1.54,0.66 2.42,0.66 2.97,0 5.39,-2.42 5.39,-5.391 0,-2.309 -1.429,-3.96 -3.52,-5.17 -5.17,-2.97 -10.23,-4.51 -17.93,-4.51 -15.73,0 -23.54,8.25 -23.54,21.781" /></g><g
+           transform="translate(421.8512,72.061)"
+           id="g52"><path
+             id="path54"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 v 50.16 c 0,3.301 2.53,5.83 5.72,5.83 2.97,0 5.06,-2.09 5.72,-4.949 l 0.55,-2.421 c 3.19,3.191 9.13,7.37 17.16,7.37 13.09,0 18.15,-9.349 18.15,-21.34 V 0 c 0,-3.63 -2.97,-6.6 -6.6,-6.6 -3.63,0 -6.599,2.97 -6.599,6.6 v 31.79 c 0,8.471 -3.411,11.44 -9.571,11.44 -4.73,0 -9.24,-2.86 -11.33,-4.95 L 13.2,0 C 13.2,-3.63 10.23,-6.6 6.6,-6.6 2.97,-6.6 0,-3.63 0,0" /></g><g
+           transform="translate(478.358,89.1118)"
+           id="g56"><path
+             id="path58"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 v 15.29 c 0,14.52 8.36,23.649 24.31,23.649 8.36,0 14.08,-3.08 18.15,-8.029 1.21,-1.54 1.87,-2.75 1.87,-4.511 0,-3.299 -2.53,-5.83 -5.83,-5.83 -1.76,0 -3.08,0.66 -4.4,1.981 -2.75,2.75 -5.39,4.62 -9.79,4.62 -8.69,0 -11.11,-5.83 -11.11,-12.981 L 13.2,1.1 c 0,-7.151 2.75,-12.981 11.44,-12.981 4.4,0 7.04,1.87 9.79,4.62 1.32,1.321 2.31,1.981 4.29,1.981 3.3,0 5.94,-2.531 5.94,-5.83 0,-1.76 -0.66,-2.97 -1.87,-4.51 C 38.72,-20.57 33,-23.65 24.64,-23.65 8.689,-23.65 0,-14.521 0,0" /></g><g
+           transform="translate(530.5396,72.061)"
+           id="g60"><path
+             id="path62"
+             style="fill:#464648;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 v 71.061 c 0,3.629 2.86,6.6 6.6,6.6 3.74,0 6.6,-2.971 6.6,-6.6 v -21.34 c 3.41,2.969 9.02,6.269 16.17,6.269 13.09,0 18.26,-9.349 18.26,-21.34 V 0 c 0,-3.63 -2.859,-6.6 -6.6,-6.6 -3.74,0 -6.6,2.97 -6.6,6.6 v 31.79 c 0,8.471 -3.52,11.44 -9.68,11.44 -4.729,0 -9.46,-2.86 -11.55,-4.95 V 0 C 13.2,-3.63 10.34,-6.6 6.6,-6.6 2.86,-6.6 0,-3.63 0,0" /></g><g
+           transform="translate(249.2096,192.0259)"
+           id="g64"><path
+             id="path66"
+             style="fill:#f1df36;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 h 0.008 l 131.211,0.031 h 0.013 c 3.063,0 6.107,0.66 8.916,1.863 L 65.602,49.549 -8.531,1.7 C -5.83,0.6 -2.923,0 0,0" /></g><g
+           transform="translate(420.2877,374.9341)"
+           id="g68"><path
+             id="path70"
+             style="fill:#faaf42;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 -105.477,-133.359 74.547,-47.655 c 3.392,1.452 6.439,3.697 8.747,6.559 l 75.104,93.431 6.686,8.317 c 1.38,1.714 2.479,3.637 3.289,5.675 0.384,0.965 0.701,1.954 0.95,2.962 z" /></g><g
+           transform="translate(145.3785,311.2251)"
+           id="g72"><path
+             id="path74"
+             style="fill:#faaf42;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c 0.583,-2.568 1.609,-5.036 3.054,-7.245 0.401,-0.614 0.83,-1.209 1.285,-1.783 l 81.823,-101.735 c 2.396,-2.975 5.588,-5.289 9.138,-6.736 L 169.433,-69.65 62.648,65.424 Z" /></g><g
+           transform="translate(179.4977,457.7324)"
+           id="g76"><path
+             id="path78"
+             style="fill:#9ad7ec;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 c -2.408,-2.762 -4.144,-6.1 -4.985,-9.762 l -29.149,-126.8 c -0.65,-2.826 -0.715,-5.774 -0.239,-8.633 0.073,-0.44 0.155,-0.878 0.254,-1.312 l 62.648,65.424 z" /></g><g
+           transform="translate(484.1334,310.8643)"
+           id="g80"><path
+             id="path82"
+             style="fill:#9ad7ec;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="M 0,0 C 0.837,3.378 0.913,6.943 0.131,10.337 L -29.076,137.21 c -0.791,3.437 -2.374,6.586 -4.566,9.236 L -63.846,64.07 Z" /></g><g
+           transform="translate(317.7506,366.4487)"
+           id="g84"><path
+             id="path86"
+             style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="M 0,0 40.622,41.329 H 14.038 L -18.791,6.272 V 77.598 H -39.47 V -56.101 h 20.679 v 40.069 l 3.269,3.181 33.46,-43.25 h 27.03 z" /></g><g
+           transform="translate(275.7818,468.8486)"
+           id="g88"><path
+             id="path90"
+             style="fill:#1280c4;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 39.028,53.109 c -0.01,0 -0.022,10e-4 -0.033,10e-4 -0.047,0 -0.094,-0.003 -0.141,-0.003 C 38.521,53.105 38.187,53.099 37.853,53.082 37.814,53.08 37.776,53.072 37.738,53.07 34.783,52.909 31.86,52.166 29.192,50.889 L -89.022,-5.593 c -2.809,-1.342 -5.266,-3.235 -7.262,-5.523 L -67.755,-92.199 0,0.03 Z" /></g><g
+           transform="translate(442.8853,463.2578)"
+           id="g92"><path
+             id="path94"
+             style="fill:#1280c4;fill-opacity:1;fill-rule:nonzero;stroke:none"
+             d="m 0,0 -118.288,56.48 c -3.039,1.455 -6.412,2.215 -9.785,2.22 L -22.598,-88.324 7.606,-5.947 C 5.558,-3.467 2.978,-1.422 0,0" /></g></g></g></g></svg>
\ No newline at end of file

From 3560bbbbfa3aa4ab0e1691a184ca050de658634f Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Sun, 6 May 2018 13:35:23 -0500
Subject: [PATCH 13/28] Allow kube-bench to be run inside its distribution
 container

---
 Dockerfile  | 26 +++++++++++++++++---------
 hooks/build |  0
 2 files changed, 17 insertions(+), 9 deletions(-)
 mode change 100644 => 100755 hooks/build

diff --git a/Dockerfile b/Dockerfile
index 10f1676..d564612 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,21 @@
-FROM golang:1.9
-WORKDIR /kube-bench
-RUN go get github.com/aquasecurity/kube-bench
+FROM golang:1.9 AS build
+WORKDIR /go/src/github.com/aquasecurity/kube-bench/
+ADD glide.lock glide.yaml ./
+RUN go get github.com/Masterminds/glide && glide install
+ADD main.go .
+ADD check/ check/
+ADD cmd/ cmd/
+RUN CGO_ENABLED=0 go install -a -ldflags '-w'
 
-FROM alpine:latest
-WORKDIR /
-COPY --from=0 /go/bin/kube-bench /kube-bench 
-COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/cfg /cfg
-COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/entrypoint.sh /entrypoint.sh
-ENTRYPOINT /entrypoint.sh
+FROM alpine:latest AS run
+WORKDIR /opt/kube-bench/
+# add GNU ps for -C, -o cmd, and --no-headers support
+# https://github.com/aquasecurity/kube-bench/issues/109
+RUN apk --no-cache add procps
+COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
+ADD entrypoint.sh .
+ADD cfg/ cfg/
+ENTRYPOINT ["./entrypoint.sh"]
 
 # Build-time metadata as defined at http://label-schema.org
 ARG BUILD_DATE
diff --git a/hooks/build b/hooks/build
old mode 100644
new mode 100755

From 07146833716e92000608b399f615d63dcdac53ba Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Sun, 6 May 2018 13:43:47 -0500
Subject: [PATCH 14/28] Modify entrypoint to allow execution of kube-bench as
 default

---
 README.md     | 27 ++++++++++++++++++++++++---
 entrypoint.sh | 27 ++++++++++++++++-----------
 2 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 8044422..f683277 100644
--- a/README.md
+++ b/README.md
@@ -19,10 +19,31 @@ kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7 and
 
 You can either install kube-bench through a dedicated container, or compile it from source:
 
-1. Container installation:
-Run ```docker run --rm -v `pwd`:/host aquasec/kube-bench:latest```. This will copy the kube-bench binary and configuration to you host. You can then run ```./kube-bench <master|node>```.
+### Running inside a container
+
+You can avoid installing kube-bench entirely by running it inside a container using the host PID namespace.
+
+```
+docker run --pid=host aquasec/kube-bench:latest <master|node>
+```
+
+You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
+
+```
+docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
+```
+
+### Installing from a container
+
+If you want to install a pre-built kube-bench, you can copy the kube-bench binary and configuration files to your host from the Docker container:
+```
+docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
+```
+
+You can then run `./kube-bench <master|node>`.
+
+### Installing from sources
 
-2. Install from sources:
 If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your [$GOPATH is set](https://github.com/golang/go/wiki/GOPATH)):
 
 ```go get github.com/aquasecurity/kube-bench
diff --git a/entrypoint.sh b/entrypoint.sh
index ad28fbf..43420e0 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,14 +1,19 @@
 #!/bin/sh
-if [ -d /host ]; then
-  mkdir -p /host/cfg/
-  yes | cp -rf /cfg/* /host/cfg/
-  yes | cp -rf /kube-bench /host/
-  echo "==============================================="
-  echo "kube-bench is now installed on your host       "
-  echo "Run ./kube-bench to perform a security check   "
-  echo "==============================================="
+if [ "$1" == "install" ]; then
+  if [ -d /host ]; then
+    mkdir -p /host/cfg/
+    yes | cp -rf /cfg/* /host/cfg/
+    yes | cp -rf /kube-bench /host/
+    echo "==============================================="
+    echo "kube-bench is now installed on your host       "
+    echo "Run ./kube-bench to perform a security check   "
+    echo "==============================================="
+  else
+    echo "Usage:"
+    echo "  install: docker run --rm -v \`pwd\`:/host aquasec/kube-bench install"
+    echo "  run:     docker run --rm --pid=host aquasec/kube-bench [command]"
+    exit
+  fi
 else
-  echo "Usage:"
-  echo "  docker run --rm -v \`pwd\`:/host aquasec/kube-bench"
-  exit 
+  exec kube-bench "$@"
 fi

From 1cff0c4da1c56b9e4da6bb15473a6326a509eb8b Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Sun, 6 May 2018 14:01:49 -0500
Subject: [PATCH 15/28] Clarify that only Linux is supported when installing
 from container

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f683277..4521183 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ If you want to install a pre-built kube-bench, you can copy the kube-bench binar
 docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
 ```
 
-You can then run `./kube-bench <master|node>`.
+You can then run `./kube-bench <master|node>`. This should work for any Linux distribution, including Alpine.
 
 ### Installing from sources
 

From 3eb8a08a9de6e913b435759f8fa2acba36719498 Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Sun, 6 May 2018 21:17:38 -0500
Subject: [PATCH 16/28] Freeze alpine to tag 3.7

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index d564612..a17c1af 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,7 @@ ADD check/ check/
 ADD cmd/ cmd/
 RUN CGO_ENABLED=0 go install -a -ldflags '-w'
 
-FROM alpine:latest AS run
+FROM alpine:3.7 AS run
 WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, and --no-headers support
 # https://github.com/aquasecurity/kube-bench/issues/109

From 0c52ace48fc3df1af5885aa746d7f8d19a96113b Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Sun, 6 May 2018 21:18:47 -0500
Subject: [PATCH 17/28] Install binary and configs as the default behavior

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index a17c1af..0a0fbad 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,6 +16,7 @@ COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
 ADD entrypoint.sh .
 ADD cfg/ cfg/
 ENTRYPOINT ["./entrypoint.sh"]
+CMD ["install"]
 
 # Build-time metadata as defined at http://label-schema.org
 ARG BUILD_DATE

From 7460037528a266d0dc2dbb7b5c2ed17c1920d18f Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 11 May 2018 12:47:04 +0100
Subject: [PATCH 18/28] Add link to releases page

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4521183..37fbc72 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7 and
 
 ## Installation
 
-You can either install kube-bench through a dedicated container, or compile it from source:
+You can either install kube-bench through a dedicated container, install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), or compile it from source.
 
 ### Running inside a container
 

From b26b23e573ae98db057ee32adb10935306249ba0 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 11 May 2018 15:39:11 +0100
Subject: [PATCH 19/28] Script needs to actually install kube-bench & its
 config!

---
 README.md     | 12 ++++++++----
 entrypoint.sh |  4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 37fbc72..ab62ef9 100644
--- a/README.md
+++ b/README.md
@@ -17,11 +17,15 @@ kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7 and
 
 ## Installation
 
-You can either install kube-bench through a dedicated container, install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), or compile it from source.
+You can choose to 
+* run kube-bench from inside a container (sharing PID namespace with the host)
+* run a container that installs kube-bench on the host, and then run kube-bench directly on the host
+* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), 
+* compile it from source.
 
 ### Running inside a container
 
-You can avoid installing kube-bench entirely by running it inside a container using the host PID namespace.
+You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace.
 
 ```
 docker run --pid=host aquasec/kube-bench:latest <master|node>
@@ -35,12 +39,12 @@ docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml
 
 ### Installing from a container
 
-If you want to install a pre-built kube-bench, you can copy the kube-bench binary and configuration files to your host from the Docker container:
+This command copies the kube-bench binary and configuration files to your host from the Docker container:
 ```
 docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
 ```
 
-You can then run `./kube-bench <master|node>`. This should work for any Linux distribution, including Alpine.
+You can then run `./kube-bench <master|node>`. 
 
 ### Installing from sources
 
diff --git a/entrypoint.sh b/entrypoint.sh
index 43420e0..771b32d 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,8 +2,8 @@
 if [ "$1" == "install" ]; then
   if [ -d /host ]; then
     mkdir -p /host/cfg/
-    yes | cp -rf /cfg/* /host/cfg/
-    yes | cp -rf /kube-bench /host/
+    yes | cp -rf cfg/* /host/cfg/
+    yes | cp -rf /usr/local/bin/kube-bench /host/
     echo "==============================================="
     echo "kube-bench is now installed on your host       "
     echo "Run ./kube-bench to perform a security check   "

From 1935c952d653613b0c7a6eea75ad5b3486fae7f5 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 11 May 2018 16:03:03 +0100
Subject: [PATCH 20/28] --request-timeout is a duration

---
 cfg/1.8/master.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml
index 170c89a..fa1d1a6 100644
--- a/cfg/1.8/master.yaml
+++ b/cfg/1.8/master.yaml
@@ -610,7 +610,7 @@ groups:
     remediation: |
       Edit the API server pod specification file $apiserverconf
       and set the below parameter as appropriate and if needed. For example,
-      --request-timeout=300
+      --request-timeout=300s
     scored: true
 
 - id: 1.2

From 7823ca388c7822a3782acd5021b4944b080bb560 Mon Sep 17 00:00:00 2001
From: Will Medlar <will.medlar@gmail.com>
Date: Fri, 11 May 2018 13:44:04 -0400
Subject: [PATCH 21/28] Set -e to fail fast

---
 entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 771b32d..b06f083 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 if [ "$1" == "install" ]; then
   if [ -d /host ]; then
     mkdir -p /host/cfg/

From 39d94df81b78df8fec427e4b487455f4977892c5 Mon Sep 17 00:00:00 2001
From: Jeppe Fihl-Pearson <jeppe@memrise.com>
Date: Fri, 11 May 2018 18:58:24 +0100
Subject: [PATCH 22/28] Add tip about the `--version` flag to error output

If people are trying to use the Docker image to check their cluster, there's a
big likelyhood of them hitting the error message saying that either `kubectl`
or `kubelet` need to be found in order for `kube-bench` to be able to determine
the Kubernetes version in use.

This adds a tip that the version can be specified manually with the `--version`
flag which is a lot easier than having to make a new Docker image with the
right version of `kubelet`/`kubectl` in order for `kube-bench` to work.
---
 cmd/util.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/util.go b/cmd/util.go
index 7b8e9de..ab78945 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -219,7 +219,7 @@ func getKubeVersion() string {
 	if err != nil {
 		_, err = exec.LookPath("kubelet")
 		if err != nil {
-			exitWithError(fmt.Errorf("Version check failed: need kubectl or kubelet binaries to get kubernetes version"))
+			exitWithError(fmt.Errorf("Version check failed: need kubectl or kubelet binaries to get kubernetes version.\nAlternately, you can specify the version with --version"))
 		}
 		return getKubeVersionFromKubelet()
 	}
@@ -240,7 +240,7 @@ func getKubeVersionFromKubectl() string {
 func getKubeVersionFromKubelet() string {
 	cmd := exec.Command("kubelet", "--version")
 	out, err := cmd.CombinedOutput()
-	
+
 	if err != nil {
 		continueWithError(fmt.Errorf("%s", out), "")
 	}

From 9810bafabe9f0f38540174283d0f0616271a8560 Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Fri, 11 May 2018 19:49:11 +0100
Subject: [PATCH 23/28] Adding a test install to travis job

---
 .travis.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 9528ceb..16d33a5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,11 @@
 ---
 language: go
 
+sudo: required
+
+services:
+  - docker 
+
 notifications:
   email: false
 
@@ -16,6 +21,10 @@ install:
 
 script:
   - go test ./...
+  - docker build --tag kube-bench .
+  - docker run -v `pwd`:/host kube-bench install 
+  - test -d cfg
+  - test -f kube-bench
 
 after_success:
   - test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash

From aa9da1322686df6f3509f8cda5ea31f59467a9d6 Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 15 May 2018 04:08:44 +0000
Subject: [PATCH 24/28] Fix a bunch of typos.

---
 cfg/1.8/master.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml
index 170c89a..bd97599 100644
--- a/cfg/1.8/master.yaml
+++ b/cfg/1.8/master.yaml
@@ -418,7 +418,7 @@ groups:
 
   - id: 1.1.26
     text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as 
-      appropriate (Scored"
+      appropriate (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
       bin_op: and
@@ -666,7 +666,7 @@ groups:
     scored: true
 
   - id: 1.3.3
-    text: "Ensure that the --use-service-account-credentials argument is set"
+    text: "Ensure that the --use-service-account-credentials argument is set (Scored)"
     audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
     tests:
       test_items:

From 5da707b8d69aebecb151fe795b546747e86c4c89 Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 15 May 2018 04:20:36 +0000
Subject: [PATCH 25/28] Remove CIS benchmark version in tool title.

it has grown stale and is dependent on k8s version we are checking.
---
 cmd/root.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/root.go b/cmd/root.go
index 9f8aa4d..ab70003 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -46,7 +46,7 @@ var (
 var RootCmd = &cobra.Command{
 	Use:   os.Args[0],
 	Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
-	Long:  `This tool runs the CIS Kubernetes 1.6 Benchmark v1.0.0 checks.`,
+	Long:  `This tool runs the CIS Kubernetes Benchmark (http://www.cisecurity.org/benchmark/kubernetes/)`,
 }
 
 // Execute adds all child commands to the root command sets flags appropriately.

From 609335510a1dab998b5f00e053ef143773841d3c Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 15 May 2018 04:22:33 +0000
Subject: [PATCH 26/28] Remove kube-bench --help output.

It has grown stale and no longer reflects the supported options, and can be misleading (see #127).
---
 README.md | 22 +++++-----------------
 1 file changed, 5 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index ab62ef9..ac9ebae 100644
--- a/README.md
+++ b/README.md
@@ -55,25 +55,13 @@ go get github.com/Masterminds/glide
 cd $GOPATH/src/github.com/aquasecurity/kube-bench
 $GOPATH/bin/glide install
 go build -o kube-bench . 
-./kube-bench <master|node>
-```
 
-## Usage
-```./kube-bench [command]```
+# See all supported options
+./kube-bench --help
+
+# Run the all checks on a master node
+./kube-bench master
 
-```
-Available Commands:
-  federated   Run benchmark checks for a Kubernetes federated deployment.
-  help        Help about any command
-  master      Run benchmark checks for a Kubernetes master node.
-  node        Run benchmark checks for a Kubernetes node.
-
-Flags:
-  -c, --check string          A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"
-      --config string         config file (default is ./cfg/config.yaml)
-  -g, --group string          Run all the checks under this comma-delimited list of groups. Example --group="1.1"
-      --json                  Prints the results as JSON
-  -v, --verbose               verbose output (default false)
 ```
 
 ## Configuration

From b4b3ebe99cdb7700d79c6e44388da3a987d1489a Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 15 May 2018 04:40:41 +0000
Subject: [PATCH 27/28] Add instruction for running kube-bench against a
 kubernetes cluster.

#218
---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index ac9ebae..43e0e02 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,19 @@ You can even use your own configs by mounting them over the default ones in `/op
 docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
 ```
 
+### Running in a kubernetes cluster
+Run the master check
+
+```
+kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"kubernetes.io/role\": \"master\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.8
+```
+
+Run the node check
+
+```
+kubectl run --rm -i -t kube-bench-node --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true } }" -- node --version 1.8
+```
+
 ### Installing from a container
 
 This command copies the kube-bench binary and configuration files to your host from the Docker container:

From 6d237607fb396834c3bd9c5e3f7057afe9f874f2 Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Tue, 10 Apr 2018 23:04:24 +0000
Subject: [PATCH 28/28] Fix typo in help text.

---
 cmd/root.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/root.go b/cmd/root.go
index ab70003..a41ea61 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -65,7 +65,7 @@ func init() {
 	cobra.OnInitialize(initConfig)
 
 	// Output control
-	RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable prints of results section")
+	RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable printing of results section")
 	RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section")
 	RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section")
 	RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")