diff --git a/README.md b/README.md index ab62ef9..43e0e02 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,19 @@ You can even use your own configs by mounting them over the default ones in `/op docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest ``` +### Running in a kubernetes cluster +Run the master check + +``` +kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"kubernetes.io/role\": \"master\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.8 +``` + +Run the node check + +``` +kubectl run --rm -i -t kube-bench-node --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true } }" -- node --version 1.8 +``` + ### Installing from a container This command copies the kube-bench binary and configuration files to your host from the Docker container: @@ -55,25 +68,13 @@ go get github.com/Masterminds/glide cd $GOPATH/src/github.com/aquasecurity/kube-bench $GOPATH/bin/glide install go build -o kube-bench . -./kube-bench -``` -## Usage -```./kube-bench [command]``` +# See all supported options +./kube-bench --help + +# Run the all checks on a master node +./kube-bench master -``` -Available Commands: - federated Run benchmark checks for a Kubernetes federated deployment. - help Help about any command - master Run benchmark checks for a Kubernetes master node. - node Run benchmark checks for a Kubernetes node. - -Flags: - -c, --check string A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2" - --config string config file (default is ./cfg/config.yaml) - -g, --group string Run all the checks under this comma-delimited list of groups. Example --group="1.1" - --json Prints the results as JSON - -v, --verbose verbose output (default false) ``` ## Configuration diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index fa1d1a6..7fb9dfa 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -418,7 +418,7 @@ groups: - id: 1.1.26 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as - appropriate (Scored" + appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and @@ -666,7 +666,7 @@ groups: scored: true - id: 1.3.3 - text: "Ensure that the --use-service-account-credentials argument is set" + text: "Ensure that the --use-service-account-credentials argument is set (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: diff --git a/cmd/root.go b/cmd/root.go index 9f8aa4d..a41ea61 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -46,7 +46,7 @@ var ( var RootCmd = &cobra.Command{ Use: os.Args[0], Short: "Run CIS Benchmarks checks against a Kubernetes deployment", - Long: `This tool runs the CIS Kubernetes 1.6 Benchmark v1.0.0 checks.`, + Long: `This tool runs the CIS Kubernetes Benchmark (http://www.cisecurity.org/benchmark/kubernetes/)`, } // Execute adds all child commands to the root command sets flags appropriately. @@ -65,7 +65,7 @@ func init() { cobra.OnInitialize(initConfig) // Output control - RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable prints of results section") + RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable printing of results section") RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section") RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section") RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")