1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00

read config files from host /etc

I don't see how kube-bench can check the permissions on files unless it has access to them on the host, so I think we need to be mounting the /etc directory from the host
This commit is contained in:
Liz Rice 2018-11-20 10:18:06 +00:00 committed by GitHub
parent 5fe702edbe
commit ba9985047c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -25,16 +25,16 @@ You can choose to
### Running inside a container ### Running inside a container
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace. You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` directory where the configuration files are located .
``` ```
docker run --pid=host -t aquasec/kube-bench:latest <master|node> docker run --pid=host -v /etc:/etc -t aquasec/kube-bench:latest <master|node>
``` ```
You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
``` ```
docker run --pid=host -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node> docker run --pid=host -v /etc:/etc -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
``` ```
> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this. > Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.