mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-25 17:38:21 +00:00
Adding a section for Azure Kubernetes Service (#495)
* Adding a section for Azure Kubernetes Service steps to run kube bench on AKS worker nodes * Update README.md * Update README.md Co-authored-by: Roberto Rojas <robertojrojas@gmail.com> Co-authored-by: Liz Rice <liz@lizrice.com>
This commit is contained in:
parent
299ab36a13
commit
ca749ccb32
60
README.md
60
README.md
@ -19,26 +19,27 @@ Tests are configured with YAML files, making this tool easy to update as test sp
|
||||
Table of Contents
|
||||
=================
|
||||
|
||||
- [Table of Contents](#table-of-contents)
|
||||
- [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support)
|
||||
- [Installation](#installation)
|
||||
- [Running kube-bench](#running-kube-bench)
|
||||
- [Running inside a container](#running-inside-a-container)
|
||||
- [Running in a Kubernetes cluster](#running-in-a-kubernetes-cluster)
|
||||
- [Running in an EKS cluster](#running-in-an-eks-cluster)
|
||||
- [Installing from a container](#installing-from-a-container)
|
||||
- [Installing from sources](#installing-from-sources)
|
||||
- [Running on OpenShift](#running-on-openshift)
|
||||
- [Output](#output)
|
||||
- [Configuration](#configuration)
|
||||
- [Test config YAML representation](#test-config-yaml-representation)
|
||||
- [Omitting checks](#omitting-checks)
|
||||
- [Roadmap](#roadmap)
|
||||
- [Testing locally with kind](#testing-locally-with-kind)
|
||||
- [Contributing](#contributing)
|
||||
- [Bugs](#bugs)
|
||||
- [Features](#features)
|
||||
- [Pull Requests](#pull-requests)
|
||||
* [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support)
|
||||
* [Installation](#installation)
|
||||
* [Running kube-bench](#running-kube-bench)
|
||||
* [Running inside a container](#running-inside-a-container)
|
||||
* [Running in a kubernetes cluster](#running-in-a-kubernetes-cluster)
|
||||
* [Running in an Azure Kubernetes Service(AKS) cluster](#running-in-an-aks-cluster)
|
||||
* [Running in an EKS cluster](#running-in-an-eks-cluster)
|
||||
* [Installing from a container](#installing-from-a-container)
|
||||
* [Installing from sources](#installing-from-sources)
|
||||
* [Running on OpenShift](#running-on-openshift)
|
||||
* [Output](#output)
|
||||
* [Configuration](#configuration)
|
||||
* [Test config YAML representation](#test-config-yaml-representation)
|
||||
* [Omitting checks](#omitting-checks)
|
||||
* [Roadmap](#roadmap)
|
||||
* [Testing locally with kind](#testing-locally-with-kind)
|
||||
* [Contributing](#contributing)
|
||||
* [Bugs](#bugs)
|
||||
* [Features](#features)
|
||||
* [Pull Requests](#pull-requests)
|
||||
|
||||
|
||||
## CIS Kubernetes Benchmark support
|
||||
|
||||
@ -177,6 +178,25 @@ To run the tests on the master node, the pod needs to be scheduled on that node.
|
||||
|
||||
The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.
|
||||
|
||||
|
||||
### Running in an AKS cluster
|
||||
|
||||
1. Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures
|
||||
|
||||
1. Use the [kubectl-enter plugin] (https://github.com/kvaps/kubectl-enter) to shell into a node
|
||||
`
|
||||
kubectl-enter {node-name}
|
||||
`
|
||||
or ssh to one agent node
|
||||
could open nsg 22 port and assign a public ip for one agent node (only for testing purpose)
|
||||
|
||||
1. Run CIS benchmark to view results:
|
||||
```
|
||||
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
|
||||
./kube-bench node
|
||||
```
|
||||
kube-bench cannot be run on AKS master nodes
|
||||
|
||||
### Running in an EKS cluster
|
||||
|
||||
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
|
||||
|
Loading…
Reference in New Issue
Block a user