arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 17:38:21 +00:00
Code Issues Releases Wiki Activity

Document limitation of running with kubectl

Browse Source 
Once the master node recommended check:

1.1.12 Ensure that the admission control plugin DenyEscalatingExec is set

has been followed, it is no longer possible to run kube-bench itself using kubectl.
This commit is contained in:
Martin Mosegaard Amdisen 2018-12-27 13:10:00 +01:00
parent 21f7902288
commit ba03d8f64b
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -46,6 +46,8 @@ Run the master check
kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"node-role.kubernetes.io/master\": \"\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.11 kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"node-role.kubernetes.io/master\": \"\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.11
``` ```
Notice that this requires access to the host PID namespace. Thus it will not work if the recommendation to enable the admission plugin DenyEscalatingExec in the API Server has been implemented. You will see an error message about failing to attach to a container using host PID.
Run the node check Run the node check
``` ```