1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00

Adding a section for Azure Kubernetes Service (#495)

* Adding a section for Azure Kubernetes Service

steps to run kube bench on AKS worker nodes

* Update README.md

* Update README.md

Co-authored-by: Roberto Rojas <robertojrojas@gmail.com>
Co-authored-by: Liz Rice <liz@lizrice.com>
This commit is contained in:
Saurya Das 2019-12-20 04:17:00 -08:00 committed by Liz Rice
parent 299ab36a13
commit ca749ccb32

View File

@ -19,26 +19,27 @@ Tests are configured with YAML files, making this tool easy to update as test sp
Table of Contents Table of Contents
================= =================
- [Table of Contents](#table-of-contents) * [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support)
- [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support) * [Installation](#installation)
- [Installation](#installation) * [Running kube-bench](#running-kube-bench)
- [Running kube-bench](#running-kube-bench) * [Running inside a container](#running-inside-a-container)
- [Running inside a container](#running-inside-a-container) * [Running in a kubernetes cluster](#running-in-a-kubernetes-cluster)
- [Running in a Kubernetes cluster](#running-in-a-kubernetes-cluster) * [Running in an Azure Kubernetes Service(AKS) cluster](#running-in-an-aks-cluster)
- [Running in an EKS cluster](#running-in-an-eks-cluster) * [Running in an EKS cluster](#running-in-an-eks-cluster)
- [Installing from a container](#installing-from-a-container) * [Installing from a container](#installing-from-a-container)
- [Installing from sources](#installing-from-sources) * [Installing from sources](#installing-from-sources)
- [Running on OpenShift](#running-on-openshift) * [Running on OpenShift](#running-on-openshift)
- [Output](#output) * [Output](#output)
- [Configuration](#configuration) * [Configuration](#configuration)
- [Test config YAML representation](#test-config-yaml-representation) * [Test config YAML representation](#test-config-yaml-representation)
- [Omitting checks](#omitting-checks) * [Omitting checks](#omitting-checks)
- [Roadmap](#roadmap) * [Roadmap](#roadmap)
- [Testing locally with kind](#testing-locally-with-kind) * [Testing locally with kind](#testing-locally-with-kind)
- [Contributing](#contributing) * [Contributing](#contributing)
- [Bugs](#bugs) * [Bugs](#bugs)
- [Features](#features) * [Features](#features)
- [Pull Requests](#pull-requests) * [Pull Requests](#pull-requests)
## CIS Kubernetes Benchmark support ## CIS Kubernetes Benchmark support
@ -177,6 +178,25 @@ To run the tests on the master node, the pod needs to be scheduled on that node.
The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node. The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.
### Running in an AKS cluster
1. Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures
1. Use the [kubectl-enter plugin] (https://github.com/kvaps/kubectl-enter) to shell into a node
`
kubectl-enter {node-name}
`
or ssh to one agent node
could open nsg 22 port and assign a public ip for one agent node (only for testing purpose)
1. Run CIS benchmark to view results:
```
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
./kube-bench node
```
kube-bench cannot be run on AKS master nodes
### Running in an EKS cluster ### Running in an EKS cluster
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed