|
|
|
@ -37,6 +37,19 @@ You can even use your own configs by mounting them over the default ones in `/op
|
|
|
|
|
docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Running in a kubernetes cluster
|
|
|
|
|
Run the master check
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"kubernetes.io/role\": \"master\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.8
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Run the node check
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
kubectl run --rm -i -t kube-bench-node --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true } }" -- node --version 1.8
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Installing from a container
|
|
|
|
|
|
|
|
|
|
This command copies the kube-bench binary and configuration files to your host from the Docker container:
|
|
|
|
@ -55,25 +68,13 @@ go get github.com/Masterminds/glide
|
|
|
|
|
cd $GOPATH/src/github.com/aquasecurity/kube-bench
|
|
|
|
|
$GOPATH/bin/glide install
|
|
|
|
|
go build -o kube-bench .
|
|
|
|
|
./kube-bench <master|node>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
```./kube-bench [command]```
|
|
|
|
|
# See all supported options
|
|
|
|
|
./kube-bench --help
|
|
|
|
|
|
|
|
|
|
# Run the all checks on a master node
|
|
|
|
|
./kube-bench master
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
Available Commands:
|
|
|
|
|
federated Run benchmark checks for a Kubernetes federated deployment.
|
|
|
|
|
help Help about any command
|
|
|
|
|
master Run benchmark checks for a Kubernetes master node.
|
|
|
|
|
node Run benchmark checks for a Kubernetes node.
|
|
|
|
|
|
|
|
|
|
Flags:
|
|
|
|
|
-c, --check string A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"
|
|
|
|
|
--config string config file (default is ./cfg/config.yaml)
|
|
|
|
|
-g, --group string Run all the checks under this comma-delimited list of groups. Example --group="1.1"
|
|
|
|
|
--json Prints the results as JSON
|
|
|
|
|
-v, --verbose verbose output (default false)
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Configuration
|
|
|
|
|