1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-18 20:58:10 +00:00

Merge pull request #130 from aquasecurity/fix-typo

A bunch of text edits
This commit is contained in:
Liz Rice 2018-05-15 11:41:51 +01:00 committed by GitHub
commit c0d80b4669
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 20 deletions

View File

@ -37,6 +37,19 @@ You can even use your own configs by mounting them over the default ones in `/op
docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
```
### Running in a kubernetes cluster
Run the master check
```
kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"kubernetes.io/role\": \"master\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.8
```
Run the node check
```
kubectl run --rm -i -t kube-bench-node --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true } }" -- node --version 1.8
```
### Installing from a container
This command copies the kube-bench binary and configuration files to your host from the Docker container:
@ -55,25 +68,13 @@ go get github.com/Masterminds/glide
cd $GOPATH/src/github.com/aquasecurity/kube-bench
$GOPATH/bin/glide install
go build -o kube-bench .
./kube-bench <master|node>
```
## Usage
```./kube-bench [command]```
# See all supported options
./kube-bench --help
```
Available Commands:
federated Run benchmark checks for a Kubernetes federated deployment.
help Help about any command
master Run benchmark checks for a Kubernetes master node.
node Run benchmark checks for a Kubernetes node.
# Run the all checks on a master node
./kube-bench master
Flags:
-c, --check string A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"
--config string config file (default is ./cfg/config.yaml)
-g, --group string Run all the checks under this comma-delimited list of groups. Example --group="1.1"
--json Prints the results as JSON
-v, --verbose verbose output (default false)
```
## Configuration

View File

@ -418,7 +418,7 @@ groups:
- id: 1.1.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored"
appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
@ -666,7 +666,7 @@ groups:
scored: true
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set"
text: "Ensure that the --use-service-account-credentials argument is set (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:

View File

@ -46,7 +46,7 @@ var (
var RootCmd = &cobra.Command{
Use: os.Args[0],
Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
Long: `This tool runs the CIS Kubernetes 1.6 Benchmark v1.0.0 checks.`,
Long: `This tool runs the CIS Kubernetes Benchmark (http://www.cisecurity.org/benchmark/kubernetes/)`,
}
// Execute adds all child commands to the root command sets flags appropriately.
@ -65,7 +65,7 @@ func init() {
cobra.OnInitialize(initConfig)
// Output control
RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable prints of results section")
RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable printing of results section")
RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section")
RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section")
RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")