1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-27 08:58:06 +00:00

Advise the use to mount /etc & /var read only for docker usage

This commit is contained in:
Colin GILLE 2018-12-31 16:39:31 +01:00 committed by GitHub
parent 21f7902288
commit af7ad90477
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -28,13 +28,13 @@ You can choose to
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions. You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions.
``` ```
docker run --pid=host -v /etc:/etc -v /var:/var -t aquasec/kube-bench:latest <master|node> docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest <master|node>
``` ```
You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
``` ```
docker run --pid=host -v /etc:/etc -v /var:/var -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node> docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
``` ```
> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. > Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.