arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Deployed bb466bb to v0.6.5 with MkDocs 1.2.3 and mike 1.1.2

Browse Source
pull/1082/head
aqua-bot 2 years ago
parent 05e7c06ddb
commit e689d6e2b1
61 changed files with 13576 additions and 28 deletions
Show Stats Download Patch File Download Diff File

6
latest/404.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../v0.6.3/404.html" />
<meta http-equiv="refresh" content="1; url=../v0.6.5/404.html" />
</noscript>
<script>
window.location.replace("../v0.6.3/404.html" + window.location.hash);
window.location.replace("../v0.6.5/404.html" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../v0.6.3/404.html">../v0.6.3/404.html</a>...
Redirecting to <a href="../v0.6.5/404.html">../v0.6.5/404.html</a>...
</body>
</html>

6
latest/architecture/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../../v0.6.3/architecture/" />
<meta http-equiv="refresh" content="1; url=../../v0.6.5/architecture/" />
</noscript>
<script>
window.location.replace("../../v0.6.3/architecture/" + window.location.hash);
window.location.replace("../../v0.6.5/architecture/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../../v0.6.3/architecture/">../../v0.6.3/architecture/</a>...
Redirecting to <a href="../../v0.6.5/architecture/">../../v0.6.5/architecture/</a>...
</body>
</html>

6
latest/asff/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../../v0.6.3/asff/" />
<meta http-equiv="refresh" content="1; url=../../v0.6.5/asff/" />
</noscript>
<script>
window.location.replace("../../v0.6.3/asff/" + window.location.hash);
window.location.replace("../../v0.6.5/asff/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../../v0.6.3/asff/">../../v0.6.3/asff/</a>...
Redirecting to <a href="../../v0.6.5/asff/">../../v0.6.5/asff/</a>...
</body>
</html>

6
latest/controls/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../../v0.6.3/controls/" />
<meta http-equiv="refresh" content="1; url=../../v0.6.5/controls/" />
</noscript>
<script>
window.location.replace("../../v0.6.3/controls/" + window.location.hash);
window.location.replace("../../v0.6.5/controls/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../../v0.6.3/controls/">../../v0.6.3/controls/</a>...
Redirecting to <a href="../../v0.6.5/controls/">../../v0.6.5/controls/</a>...
</body>
</html>

6
latest/flags-and-commands/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../../v0.6.3/flags-and-commands/" />
<meta http-equiv="refresh" content="1; url=../../v0.6.5/flags-and-commands/" />
</noscript>
<script>
window.location.replace("../../v0.6.3/flags-and-commands/" + window.location.hash);
window.location.replace("../../v0.6.5/flags-and-commands/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../../v0.6.3/flags-and-commands/">../../v0.6.3/flags-and-commands/</a>...
Redirecting to <a href="../../v0.6.5/flags-and-commands/">../../v0.6.5/flags-and-commands/</a>...
</body>
</html>

6
latest/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../v0.6.3/" />
<meta http-equiv="refresh" content="1; url=../v0.6.5/" />
</noscript>
<script>
window.location.replace("../v0.6.3/" + window.location.hash);
window.location.replace("../v0.6.5/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../v0.6.3/">../v0.6.3/</a>...
Redirecting to <a href="../v0.6.5/">../v0.6.5/</a>...
</body>
</html>

6
latest/installation/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../../v0.6.3/installation/" />
<meta http-equiv="refresh" content="1; url=../../v0.6.5/installation/" />
</noscript>
<script>
window.location.replace("../../v0.6.3/installation/" + window.location.hash);
window.location.replace("../../v0.6.5/installation/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../../v0.6.3/installation/">../../v0.6.3/installation/</a>...
Redirecting to <a href="../../v0.6.5/installation/">../../v0.6.5/installation/</a>...
</body>
</html>

6
latest/platforms/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../../v0.6.3/platforms/" />
<meta http-equiv="refresh" content="1; url=../../v0.6.5/platforms/" />
</noscript>
<script>
window.location.replace("../../v0.6.3/platforms/" + window.location.hash);
window.location.replace("../../v0.6.5/platforms/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../../v0.6.3/platforms/">../../v0.6.3/platforms/</a>...
Redirecting to <a href="../../v0.6.5/platforms/">../../v0.6.5/platforms/</a>...
</body>
</html>

6
latest/running/index.html
Unescape View File

@ -4,13 +4,13 @@
<meta charset="utf-8">
<title>Redirecting</title>
<noscript>
<meta http-equiv="refresh" content="1; url=../../v0.6.3/running/" />
<meta http-equiv="refresh" content="1; url=../../v0.6.5/running/" />
</noscript>
<script>
window.location.replace("../../v0.6.3/running/" + window.location.hash);
window.location.replace("../../v0.6.5/running/" + window.location.hash);
</script>
</head>
<body>
Redirecting to <a href="../../v0.6.3/running/">../../v0.6.3/running/</a>...
Redirecting to <a href="../../v0.6.5/running/">../../v0.6.5/running/</a>...
</body>
</html>

443
v0.6.5/404.html
Unescape View File

@ -0,0 +1,443 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="icon" href="/kube-bench/v0.6.5/assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>Kube-bench</title>
<link rel="stylesheet" href="/kube-bench/v0.6.5/assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="/kube-bench/v0.6.5/assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="/kube-bench/v0.6.5/assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"/kube-bench/v0.6.5":"/kube-bench/v0.6.5"),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="/kube-bench/v0.6.5/." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="/kube-bench/v0.6.5/images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="/kube-bench/v0.6.5/." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="/kube-bench/v0.6.5/images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="/kube-bench/v0.6.5/CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>404 - Not found</h1>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "/kube-bench/v0.6.5", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "/kube-bench/v0.6.5/assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="/kube-bench/v0.6.5/assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

617
v0.6.5/architecture/index.html
Unescape View File

@ -0,0 +1,617 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/architecture/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>Architecture - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="../assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"..":".."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#test-config-yaml-representation" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Architecture
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item">
<a href="../running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Architecture
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Architecture
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#test-config-yaml-representation" class="md-nav__link">
Test config YAML representation
</a>
</li>
<li class="md-nav__item">
<a href="#kube-bench-benchmarks" class="md-nav__link">
Kube-bench benchmarks
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#test-config-yaml-representation" class="md-nav__link">
Test config YAML representation
</a>
</li>
<li class="md-nav__item">
<a href="#kube-bench-benchmarks" class="md-nav__link">
Kube-bench benchmarks
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>Architecture</h1>
<h2 id="test-config-yaml-representation">Test config YAML representation</h2>
<p>The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different <a href="../platforms/">versions and platforms of the CIS Kubernetes Benchmark</a>. You will find more information about the test file YAML definitions in our <a href="../controls/">controls documentation</a>.</p>
<h2 id="kube-bench-benchmarks">Kube-bench benchmarks</h2>
<p>The test files for the various versions of Benchmarks can be found in directories
with same name as the Benchmark versions under the <code>cfg</code> directory next to the kube-bench executable,
for example <code>./cfg/cis-1.5</code> will contain all test files for <a href="https://workbench.cisecurity.org/benchmarks/4892">CIS Kubernetes Benchmark v1.5.1</a> which are:
master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml </p>
<p>Check the contents of the benchmark directory under <code>cfg</code> to see which targets are available for that benchmark. Each file except <code>config.yaml</code> represents a target (also known as a <code>control</code> in other parts of this documentation). </p>
<p>The following table shows the valid targets based on the CIS Benchmark version.</p>
<table>
<thead>
<tr>
<th>CIS Benchmark</th>
<th>Targets</th>
</tr>
</thead>
<tbody>
<tr>
<td>cis-1.5</td>
<td>master, controlplane, node, etcd, policies</td>
</tr>
<tr>
<td>cis-1.6</td>
<td>master, controlplane, node, etcd, policies</td>
</tr>
<tr>
<td>cis-1.20</td>
<td>master, controlplane, node, etcd, policies</td>
</tr>
<tr>
<td>gke-1.0</td>
<td>master, controlplane, node, etcd, policies, managedservices</td>
</tr>
<tr>
<td>eks-1.0.1</td>
<td>controlplane, node, policies, managedservices</td>
</tr>
<tr>
<td>ack-1.0</td>
<td>master, controlplane, node, etcd, policies, managedservices</td>
</tr>
<tr>
<td>aks-1.0</td>
<td>controlplane, node, policies, managedservices</td>
</tr>
<tr>
<td>rh-0.7</td>
<td>master,node</td>
</tr>
<tr>
<td>rh-1.0</td>
<td>master, controlplane, node, etcd, policies</td>
</tr>
</tbody>
</table>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../controls/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Understanding the yamls" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Understanding the yamls
</div>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

653
v0.6.5/asff/index.html
Unescape View File

@ -0,0 +1,653 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/asff/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>ASFF - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="../assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"..":".."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#integrating-kube-bench-with-aws-security-hub" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
ASFF
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item">
<a href="../running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
ASFF
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
ASFF
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#enable-the-aws-security-hub-integration" class="md-nav__link">
Enable the AWS Security Hub integration
</a>
</li>
<li class="md-nav__item">
<a href="#configure-permissions-in-an-iam-role" class="md-nav__link">
Configure permissions in an IAM Role
</a>
<nav class="md-nav" aria-label="Configure permissions in an IAM Role">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#modify-the-job-configuration" class="md-nav__link">
Modify the job configuration
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#enable-the-aws-security-hub-integration" class="md-nav__link">
Enable the AWS Security Hub integration
</a>
</li>
<li class="md-nav__item">
<a href="#configure-permissions-in-an-iam-role" class="md-nav__link">
Configure permissions in an IAM Role
</a>
<nav class="md-nav" aria-label="Configure permissions in an IAM Role">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#modify-the-job-configuration" class="md-nav__link">
Modify the job configuration
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="integrating-kube-bench-with-aws-security-hub">Integrating kube-bench with AWS Security Hub</h1>
<p>You can configure kube-bench with the <code>--asff</code> to send findings to AWS Security Hub. There are some additional steps required so that kube-bench has information and permissions to send these findings.</p>
<h2 id="enable-the-aws-security-hub-integration">Enable the AWS Security Hub integration</h2>
<ul>
<li>You will need AWS Security Hub to be enabled in your account</li>
<li>In the Security Hub console, under Integrations, search for kube-bench</li>
</ul>
<p align="center">
<img src="./images/kube-bench-security-hub.png">
</p>
<ul>
<li>Click on <code>Accept findings</code>. This gives information about the IAM permissions required to send findings to your Security Hub account. kube-bench runs within a pod on your EKS cluster, and will need to be associated with a Role that has these permissions.</li>
</ul>
<h2 id="configure-permissions-in-an-iam-role">Configure permissions in an IAM Role</h2>
<ul>
<li>Grant these permissions to the IAM Role that the kube-bench pod will be associated with. There are two options:</li>
<li>You can run the kube-bench pod under a specific <a href="https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html">service account associated with an IAM role</a> that has these permissions to write Security Hub findings.</li>
<li>Alternatively the pod can be granted permissions specified by the Role that your <a href="https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html">EKS node group uses</a>.</li>
</ul>
<p>Here is an example IAM Policy that you can attach to your EKS node group's IAM Role: </p>
<div class="highlight"><pre><span></span><code><span class="p">{</span>
<span class="nt">&quot;Version&quot;</span><span class="p">:</span> <span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
<span class="nt">&quot;Statement&quot;</span><span class="p">:</span> <span class="p">[</span>
<span class="p">{</span>
<span class="nt">&quot;Effect&quot;</span><span class="p">:</span> <span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
<span class="nt">&quot;Action&quot;</span><span class="p">:</span> <span class="s2">&quot;securityhub:BatchImportFindings&quot;</span><span class="p">,</span>
<span class="nt">&quot;Resource&quot;</span><span class="p">:</span> <span class="p">[</span>
<span class="s2">&quot;arn:aws:securityhub:us-east-1::product/aqua-security/kube-bench&quot;</span>
<span class="p">]</span>
<span class="p">}</span>
<span class="p">]</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="modify-the-job-configuration">Modify the job configuration</h3>
<ul>
<li>Modify the kube-bench Configmap in <code>job-eks-asff.yaml</code> to specify the AWS account, AWS region, and the EKS Cluster ARN.</li>
<li>In the same file, modify the image specifed in the Job to use the kube-bench image pushed to your ECR</li>
<li>[Optional] - If you have created a dedicated IAM role to be used with kube-bench as described above in <a href="#configure-permissions-in-an-iam-role">Configure permissions in an IAM Role</a>, you will need to add the IAM role arn to the kube-bench ServiceAccount in <code>job-eks-asff.yaml</code>.</li>
<li>Make sure that <code>job-eks-asff.yaml</code> specifies the container image you just pushed to your ECR registry.</li>
</ul>
<p>You can now run kube-bench as a pod in your cluster: <code>kubectl apply -f job-eks-asff.yaml</code></p>
<p>Findings will be generated for any kube-bench test that generates a <code>[FAIL]</code> or <code>[WARN]</code> output. If all tests pass, no findings will be generated. However, it's recommended that you consult the pod log output to check whether any findings were generated but could not be written to Security Hub.</p>
<p align="center">
<img src="./images/asff-example-finding.png">
</p>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../running/" class="md-footer__link md-footer__link--prev" aria-label="Previous: How to run" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
How to run
</div>
</div>
</a>
<a href="../flags-and-commands/" class="md-footer__link md-footer__link--next" aria-label="Next: Flags" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Flags
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

BIN
v0.6.5/assets/images/favicon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

3
v0.6.5/assets/javascripts/bundle.adafc647.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/javascripts/lunr/min/lunr.ar.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.da.min.js vendored
Unescape View File

@ -0,0 +1,18 @@
/*!
* Lunr languages, `Danish` language
* https://github.com/MihaiValentin/lunr-languages
*
* Copyright 2014, Mihai Valentin
* http://www.mozilla.org/MPL/
*/
/*!
* based on
* Snowball JavaScript Library v0.3
* http://code.google.com/p/urim/
* http://snowball.tartarus.org/
*
* Copyright 2010, Oleg Mazko
* http://www.mozilla.org/MPL/
*/
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r():r()(e.lunr)}(this,function(){return function(e){if(void 0===e)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===e.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");e.da=function(){this.pipeline.reset(),this.pipeline.add(e.da.trimmer,e.da.stopWordFilter,e.da.stemmer),this.searchPipeline&&(this.searchPipeline.reset(),this.searchPipeline.add(e.da.stemmer))},e.da.wordCharacters="A-Za-zªºÀ-ÖØ-öø-ʸˠ-ˤᴀ-ᴥᴬ-ᵜᵢ-ᵥᵫ-ᵷᵹ-ᶾḀ-ỿⁱⁿₐ-ₜKÅℲⅎⅠ-ↈⱠ-ⱿꜢ-ꞇꞋ-ꞭꞰ-ꞷꟷ-ꟿꬰ-ꭚꭜ-ꭤff-stA--",e.da.trimmer=e.trimmerSupport.generateTrimmer(e.da.wordCharacters),e.Pipeline.registerFunction(e.da.trimmer,"trimmer-da"),e.da.stemmer=function(){var r=e.stemmerSupport.Among,i=e.stemmerSupport.SnowballProgram,n=new function(){function e(){var e,r=f.cursor+3;if(d=f.limit,0<=r&&r<=f.limit){for(a=r;;){if(e=f.cursor,f.in_grouping(w,97,248)){f.cursor=e;break}if(f.cursor=e,e>=f.limit)return;f.cursor++}for(;!f.out_grouping(w,97,248);){if(f.cursor>=f.limit)return;f.cursor++}d=f.cursor,d<a&&(d=a)}}function n(){var e,r;if(f.cursor>=d&&(r=f.limit_backward,f.limit_backward=d,f.ket=f.cursor,e=f.find_among_b(c,32),f.limit_backward=r,e))switch(f.bra=f.cursor,e){case 1:f.slice_del();break;case 2:f.in_grouping_b(p,97,229)&&f.slice_del()}}function t(){var e,r=f.limit-f.cursor;f.cursor>=d&&(e=f.limit_backward,f.limit_backward=d,f.ket=f.cursor,f.find_among_b(l,4)?(f.bra=f.cursor,f.limit_backward=e,f.cursor=f.limit-r,f.cursor>f.limit_backward&&(f.cursor--,f.bra=f.cursor,f.slice_del())):f.limit_backward=e)}function s(){var e,r,i,n=f.limit-f.cursor;if(f.ket=f.cursor,f.eq_s_b(2,"st")&&(f.bra=f.cursor,f.eq_s_b(2,"ig")&&f.slice_del()),f.cursor=f.limit-n,f.cursor>=d&&(r=f.limit_backward,f.limit_backward=d,f.ket=f.cursor,e=f.find_among_b(m,5),f.limit_backward=r,e))switch(f.bra=f.cursor,e){case 1:f.slice_del(),i=f.limit-f.cursor,t(),f.cursor=f.limit-i;break;case 2:f.slice_from("løs")}}function o(){var e;f.cursor>=d&&(e=f.limit_backward,f.limit_backward=d,f.ket=f.cursor,f.out_grouping_b(w,97,248)?(f.bra=f.cursor,u=f.slice_to(u),f.limit_backward=e,f.eq_v_b(u)&&f.slice_del()):f.limit_backward=e)}var a,d,u,c=[new r("hed",-1,1),new r("ethed",0,1),new r("ered",-1,1),new r("e",-1,1),new r("erede",3,1),new r("ende",3,1),new r("erende",5,1),new r("ene",3,1),new r("erne",3,1),new r("ere",3,1),new r("en",-1,1),new r("heden",10,1),new r("eren",10,1),new r("er",-1,1),new r("heder",13,1),new r("erer",13,1),new r("s",-1,2),new r("heds",16,1),new r("es",16,1),new r("endes",18,1),new r("erendes",19,1),new r("enes",18,1),new r("ernes",18,1),new r("eres",18,1),new r("ens",16,1),new r("hedens",24,1),new r("erens",24,1),new r("ers",16,1),new r("ets",16,1),new r("erets",28,1),new r("et",-1,1),new r("eret",30,1)],l=[new r("gd",-1,-1),new r("dt",-1,-1),new r("gt",-1,-1),new r("kt",-1,-1)],m=[new r("ig",-1,1),new r("lig",0,1),new r("elig",1,1),new r("els",-1,1),new r("løst",-1,2)],w=[17,65,16,1,0,0,0,0,0,0,0,0,0,0,0,0,48,0,128],p=[239,254,42,3,0,0,0,0,0,0,0,0,0,0,0,0,16],f=new i;this.setCurrent=function(e){f.setCurrent(e)},this.getCurrent=function(){return f.getCurrent()},this.stem=function(){var r=f.cursor;return e(),f.limit_backward=r,f.cursor=f.limit,n(),f.cursor=f.limit,t(),f.cursor=f.limit,s(),f.cursor=f.limit,o(),!0}};return function(e){return"function"==typeof e.update?e.update(function(e){return n.setCurrent(e),n.stem(),n.getCurrent()}):(n.setCurrent(e),n.stem(),n.getCurrent())}}(),e.Pipeline.registerFunction(e.da.stemmer,"stemmer-da"),e.da.stopWordFilter=e.generateStopWordFilter("ad af alle alt anden at blev blive bliver da de dem den denne der deres det dette dig din disse dog du efter eller en end er et for fra ham han hans har havde have hende hendes her hos hun hvad hvis hvor i ikke ind jeg jer jo kunne man mange med meget men mig min mine mit mod ned noget nogle nu når og også om op os over på selv sig sin sine sit skal skulle som sådan thi til ud under var vi vil ville vor være været".split(" ")),e.Pipeline.registerFunction(e.da.stopWordFilter,"stopWordFilter-da")}});

18
v0.6.5/assets/javascripts/lunr/min/lunr.de.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.du.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.es.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.fi.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.fr.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/javascripts/lunr/min/lunr.hi.min.js vendored
Unescape View File

@ -0,0 +1 @@
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r():r()(e.lunr)}(this,function(){return function(e){if(void 0===e)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===e.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");e.hi=function(){this.pipeline.reset(),this.pipeline.add(e.hi.trimmer,e.hi.stopWordFilter,e.hi.stemmer),this.searchPipeline&&(this.searchPipeline.reset(),this.searchPipeline.add(e.hi.stemmer))},e.hi.wordCharacters="ऀ-ःऄ-एऐ-टठ-यर-िी-ॏॐ-य़ॠ-९॰-ॿa-zA-Z--0-9-",e.hi.trimmer=e.trimmerSupport.generateTrimmer(e.hi.wordCharacters),e.Pipeline.registerFunction(e.hi.trimmer,"trimmer-hi"),e.hi.stopWordFilter=e.generateStopWordFilter("अत अपना अपनी अपने अभी अंदर आदि आप इत्यादि इन इनका इन्हीं इन्हें इन्हों इस इसका इसकी इसके इसमें इसी इसे उन उनका उनकी उनके उनको उन्हीं उन्हें उन्हों उस उसके उसी उसे एक एवं एस ऐसे और कई कर करता करते करना करने करें कहते कहा का काफ़ी कि कितना किन्हें किन्हों किया किर किस किसी किसे की कुछ कुल के को कोई कौन कौनसा गया घर जब जहाँ जा जितना जिन जिन्हें जिन्हों जिस जिसे जीधर जैसा जैसे जो तक तब तरह तिन तिन्हें तिन्हों तिस तिसे तो था थी थे दबारा दिया दुसरा दूसरे दो द्वारा न नके नहीं ना निहायत नीचे ने पर पहले पूरा पे फिर बनी बही बहुत बाद बाला बिलकुल भी भीतर मगर मानो मे में यदि यह यहाँ यही या यिह ये रखें रहा रहे ऱ्वासा लिए लिये लेकिन व वग़ैरह वर्ग वह वहाँ वहीं वाले वुह वे वो सकता सकते सबसे सभी साथ साबुत साभ सारा से सो संग ही हुआ हुई हुए है हैं हो होता होती होते होना होने".split(" ")),e.hi.stemmer=function(){return function(e){return"function"==typeof e.update?e.update(function(e){return e}):e}}();var r=e.wordcut;r.init(),e.hi.tokenizer=function(i){if(!arguments.length||null==i||void 0==i)return[];if(Array.isArray(i))return i.map(function(r){return isLunr2?new e.Token(r.toLowerCase()):r.toLowerCase()});var t=i.toString().toLowerCase().replace(/^\s+/,"");return r.cut(t).split("|")},e.Pipeline.registerFunction(e.hi.stemmer,"stemmer-hi"),e.Pipeline.registerFunction(e.hi.stopWordFilter,"stopWordFilter-hi")}});

18
v0.6.5/assets/javascripts/lunr/min/lunr.hu.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.it.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/javascripts/lunr/min/lunr.ja.min.js vendored
Unescape View File

@ -0,0 +1 @@
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r():r()(e.lunr)}(this,function(){return function(e){if(void 0===e)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===e.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");var r="2"==e.version[0];e.ja=function(){this.pipeline.reset(),this.pipeline.add(e.ja.trimmer,e.ja.stopWordFilter,e.ja.stemmer),r?this.tokenizer=e.ja.tokenizer:(e.tokenizer&&(e.tokenizer=e.ja.tokenizer),this.tokenizerFn&&(this.tokenizerFn=e.ja.tokenizer))};var t=new e.TinySegmenter;e.ja.tokenizer=function(i){var n,o,s,p,a,u,m,l,c,f;if(!arguments.length||null==i||void 0==i)return[];if(Array.isArray(i))return i.map(function(t){return r?new e.Token(t.toLowerCase()):t.toLowerCase()});for(o=i.toString().toLowerCase().replace(/^\s+/,""),n=o.length-1;n>=0;n--)if(/\S/.test(o.charAt(n))){o=o.substring(0,n+1);break}for(a=[],s=o.length,c=0,l=0;c<=s;c++)if(u=o.charAt(c),m=c-l,u.match(/\s/)||c==s){if(m>0)for(p=t.segment(o.slice(l,c)).filter(function(e){return!!e}),f=l,n=0;n<p.length;n++)r?a.push(new e.Token(p[n],{position:[f,p[n].length],index:a.length})):a.push(p[n]),f+=p[n].length;l=c+1}return a},e.ja.stemmer=function(){return function(e){return e}}(),e.Pipeline.registerFunction(e.ja.stemmer,"stemmer-ja"),e.ja.wordCharacters="一二三四五六七八九十百千万億兆一-龠々〆ヵヶぁ-んァ-ヴーア-ン゙a-zA-Z--0-9-",e.ja.trimmer=e.trimmerSupport.generateTrimmer(e.ja.wordCharacters),e.Pipeline.registerFunction(e.ja.trimmer,"trimmer-ja"),e.ja.stopWordFilter=e.generateStopWordFilter("これ それ あれ この その あの ここ そこ あそこ こちら どこ だれ なに なん 何 私 貴方 貴方方 我々 私達 あの人 あのかた 彼女 彼 です あります おります います は が の に を で え から まで より も どの と し それで しかし".split(" ")),e.Pipeline.registerFunction(e.ja.stopWordFilter,"stopWordFilter-ja"),e.jp=e.ja,e.Pipeline.registerFunction(e.jp.stemmer,"stemmer-jp"),e.Pipeline.registerFunction(e.jp.trimmer,"trimmer-jp"),e.Pipeline.registerFunction(e.jp.stopWordFilter,"stopWordFilter-jp")}});

1
v0.6.5/assets/javascripts/lunr/min/lunr.jp.min.js vendored
Unescape View File

@ -0,0 +1 @@
module.exports=require("./lunr.ja");

1
v0.6.5/assets/javascripts/lunr/min/lunr.multi.min.js vendored
Unescape View File

@ -0,0 +1 @@
!function(e,t){"function"==typeof define&&define.amd?define(t):"object"==typeof exports?module.exports=t():t()(e.lunr)}(this,function(){return function(e){e.multiLanguage=function(){for(var t=Array.prototype.slice.call(arguments),i=t.join("-"),r="",n=[],s=[],p=0;p<t.length;++p)"en"==t[p]?(r+="\\w",n.unshift(e.stopWordFilter),n.push(e.stemmer),s.push(e.stemmer)):(r+=e[t[p]].wordCharacters,e[t[p]].stopWordFilter&&n.unshift(e[t[p]].stopWordFilter),e[t[p]].stemmer&&(n.push(e[t[p]].stemmer),s.push(e[t[p]].stemmer)));var o=e.trimmerSupport.generateTrimmer(r);return e.Pipeline.registerFunction(o,"lunr-multi-trimmer-"+i),n.unshift(o),function(){this.pipeline.reset(),this.pipeline.add.apply(this.pipeline,n),this.searchPipeline&&(this.searchPipeline.reset(),this.searchPipeline.add.apply(this.searchPipeline,s))}}}});

18
v0.6.5/assets/javascripts/lunr/min/lunr.nl.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.no.min.js vendored
Unescape View File

@ -0,0 +1,18 @@
/*!
* Lunr languages, `Norwegian` language
* https://github.com/MihaiValentin/lunr-languages
*
* Copyright 2014, Mihai Valentin
* http://www.mozilla.org/MPL/
*/
/*!
* based on
* Snowball JavaScript Library v0.3
* http://code.google.com/p/urim/
* http://snowball.tartarus.org/
*
* Copyright 2010, Oleg Mazko
* http://www.mozilla.org/MPL/
*/
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r():r()(e.lunr)}(this,function(){return function(e){if(void 0===e)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===e.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");e.no=function(){this.pipeline.reset(),this.pipeline.add(e.no.trimmer,e.no.stopWordFilter,e.no.stemmer),this.searchPipeline&&(this.searchPipeline.reset(),this.searchPipeline.add(e.no.stemmer))},e.no.wordCharacters="A-Za-zªºÀ-ÖØ-öø-ʸˠ-ˤᴀ-ᴥᴬ-ᵜᵢ-ᵥᵫ-ᵷᵹ-ᶾḀ-ỿⁱⁿₐ-ₜKÅℲⅎⅠ-ↈⱠ-ⱿꜢ-ꞇꞋ-ꞭꞰ-ꞷꟷ-ꟿꬰ-ꭚꭜ-ꭤff-stA--",e.no.trimmer=e.trimmerSupport.generateTrimmer(e.no.wordCharacters),e.Pipeline.registerFunction(e.no.trimmer,"trimmer-no"),e.no.stemmer=function(){var r=e.stemmerSupport.Among,n=e.stemmerSupport.SnowballProgram,i=new function(){function e(){var e,r=w.cursor+3;if(a=w.limit,0<=r||r<=w.limit){for(s=r;;){if(e=w.cursor,w.in_grouping(d,97,248)){w.cursor=e;break}if(e>=w.limit)return;w.cursor=e+1}for(;!w.out_grouping(d,97,248);){if(w.cursor>=w.limit)return;w.cursor++}a=w.cursor,a<s&&(a=s)}}function i(){var e,r,n;if(w.cursor>=a&&(r=w.limit_backward,w.limit_backward=a,w.ket=w.cursor,e=w.find_among_b(m,29),w.limit_backward=r,e))switch(w.bra=w.cursor,e){case 1:w.slice_del();break;case 2:n=w.limit-w.cursor,w.in_grouping_b(c,98,122)?w.slice_del():(w.cursor=w.limit-n,w.eq_s_b(1,"k")&&w.out_grouping_b(d,97,248)&&w.slice_del());break;case 3:w.slice_from("er")}}function t(){var e,r=w.limit-w.cursor;w.cursor>=a&&(e=w.limit_backward,w.limit_backward=a,w.ket=w.cursor,w.find_among_b(u,2)?(w.bra=w.cursor,w.limit_backward=e,w.cursor=w.limit-r,w.cursor>w.limit_backward&&(w.cursor--,w.bra=w.cursor,w.slice_del())):w.limit_backward=e)}function o(){var e,r;w.cursor>=a&&(r=w.limit_backward,w.limit_backward=a,w.ket=w.cursor,e=w.find_among_b(l,11),e?(w.bra=w.cursor,w.limit_backward=r,1==e&&w.slice_del()):w.limit_backward=r)}var s,a,m=[new r("a",-1,1),new r("e",-1,1),new r("ede",1,1),new r("ande",1,1),new r("ende",1,1),new r("ane",1,1),new r("ene",1,1),new r("hetene",6,1),new r("erte",1,3),new r("en",-1,1),new r("heten",9,1),new r("ar",-1,1),new r("er",-1,1),new r("heter",12,1),new r("s",-1,2),new r("as",14,1),new r("es",14,1),new r("edes",16,1),new r("endes",16,1),new r("enes",16,1),new r("hetenes",19,1),new r("ens",14,1),new r("hetens",21,1),new r("ers",14,1),new r("ets",14,1),new r("et",-1,1),new r("het",25,1),new r("ert",-1,3),new r("ast",-1,1)],u=[new r("dt",-1,-1),new r("vt",-1,-1)],l=[new r("leg",-1,1),new r("eleg",0,1),new r("ig",-1,1),new r("eig",2,1),new r("lig",2,1),new r("elig",4,1),new r("els",-1,1),new r("lov",-1,1),new r("elov",7,1),new r("slov",7,1),new r("hetslov",9,1)],d=[17,65,16,1,0,0,0,0,0,0,0,0,0,0,0,0,48,0,128],c=[119,125,149,1],w=new n;this.setCurrent=function(e){w.setCurrent(e)},this.getCurrent=function(){return w.getCurrent()},this.stem=function(){var r=w.cursor;return e(),w.limit_backward=r,w.cursor=w.limit,i(),w.cursor=w.limit,t(),w.cursor=w.limit,o(),!0}};return function(e){return"function"==typeof e.update?e.update(function(e){return i.setCurrent(e),i.stem(),i.getCurrent()}):(i.setCurrent(e),i.stem(),i.getCurrent())}}(),e.Pipeline.registerFunction(e.no.stemmer,"stemmer-no"),e.no.stopWordFilter=e.generateStopWordFilter("alle at av bare begge ble blei bli blir blitt både båe da de deg dei deim deira deires dem den denne der dere deres det dette di din disse ditt du dykk dykkar då eg ein eit eitt eller elles en enn er et ett etter for fordi fra før ha hadde han hans har hennar henne hennes her hjå ho hoe honom hoss hossen hun hva hvem hver hvilke hvilken hvis hvor hvordan hvorfor i ikke ikkje ikkje ingen ingi inkje inn inni ja jeg kan kom korleis korso kun kunne kva kvar kvarhelst kven kvi kvifor man mange me med medan meg meget mellom men mi min mine mitt mot mykje ned no noe noen noka noko nokon nokor nokre nå når og også om opp oss over på samme seg selv si si sia sidan siden sin sine sitt sjøl skal skulle slik so som som somme somt så sånn til um upp ut uten var vart varte ved vere verte vi vil ville vore vors vort vår være være vært å".split(" ")),e.Pipeline.registerFunction(e.no.stopWordFilter,"stopWordFilter-no")}});

18
v0.6.5/assets/javascripts/lunr/min/lunr.pt.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.ro.min.js vendored
View File

File diff suppressed because one or more lines are too long

18
v0.6.5/assets/javascripts/lunr/min/lunr.ru.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/javascripts/lunr/min/lunr.stemmer.support.min.js vendored
Unescape View File

@ -0,0 +1 @@
!function(r,t){"function"==typeof define&&define.amd?define(t):"object"==typeof exports?module.exports=t():t()(r.lunr)}(this,function(){return function(r){r.stemmerSupport={Among:function(r,t,i,s){if(this.toCharArray=function(r){for(var t=r.length,i=new Array(t),s=0;s<t;s++)i[s]=r.charCodeAt(s);return i},!r&&""!=r||!t&&0!=t||!i)throw"Bad Among initialisation: s:"+r+", substring_i: "+t+", result: "+i;this.s_size=r.length,this.s=this.toCharArray(r),this.substring_i=t,this.result=i,this.method=s},SnowballProgram:function(){var r;return{bra:0,ket:0,limit:0,cursor:0,limit_backward:0,setCurrent:function(t){r=t,this.cursor=0,this.limit=t.length,this.limit_backward=0,this.bra=this.cursor,this.ket=this.limit},getCurrent:function(){var t=r;return r=null,t},in_grouping:function(t,i,s){if(this.cursor<this.limit){var e=r.charCodeAt(this.cursor);if(e<=s&&e>=i&&(e-=i,t[e>>3]&1<<(7&e)))return this.cursor++,!0}return!1},in_grouping_b:function(t,i,s){if(this.cursor>this.limit_backward){var e=r.charCodeAt(this.cursor-1);if(e<=s&&e>=i&&(e-=i,t[e>>3]&1<<(7&e)))return this.cursor--,!0}return!1},out_grouping:function(t,i,s){if(this.cursor<this.limit){var e=r.charCodeAt(this.cursor);if(e>s||e<i)return this.cursor++,!0;if(e-=i,!(t[e>>3]&1<<(7&e)))return this.cursor++,!0}return!1},out_grouping_b:function(t,i,s){if(this.cursor>this.limit_backward){var e=r.charCodeAt(this.cursor-1);if(e>s||e<i)return this.cursor--,!0;if(e-=i,!(t[e>>3]&1<<(7&e)))return this.cursor--,!0}return!1},eq_s:function(t,i){if(this.limit-this.cursor<t)return!1;for(var s=0;s<t;s++)if(r.charCodeAt(this.cursor+s)!=i.charCodeAt(s))return!1;return this.cursor+=t,!0},eq_s_b:function(t,i){if(this.cursor-this.limit_backward<t)return!1;for(var s=0;s<t;s++)if(r.charCodeAt(this.cursor-t+s)!=i.charCodeAt(s))return!1;return this.cursor-=t,!0},find_among:function(t,i){for(var s=0,e=i,n=this.cursor,u=this.limit,o=0,h=0,c=!1;;){for(var a=s+(e-s>>1),f=0,l=o<h?o:h,_=t[a],m=l;m<_.s_size;m++){if(n+l==u){f=-1;break}if(f=r.charCodeAt(n+l)-_.s[m])break;l++}if(f<0?(e=a,h=l):(s=a,o=l),e-s<=1){if(s>0||e==s||c)break;c=!0}}for(;;){var _=t[s];if(o>=_.s_size){if(this.cursor=n+_.s_size,!_.method)return _.result;var b=_.method();if(this.cursor=n+_.s_size,b)return _.result}if((s=_.substring_i)<0)return 0}},find_among_b:function(t,i){for(var s=0,e=i,n=this.cursor,u=this.limit_backward,o=0,h=0,c=!1;;){for(var a=s+(e-s>>1),f=0,l=o<h?o:h,_=t[a],m=_.s_size-1-l;m>=0;m--){if(n-l==u){f=-1;break}if(f=r.charCodeAt(n-1-l)-_.s[m])break;l++}if(f<0?(e=a,h=l):(s=a,o=l),e-s<=1){if(s>0||e==s||c)break;c=!0}}for(;;){var _=t[s];if(o>=_.s_size){if(this.cursor=n-_.s_size,!_.method)return _.result;var b=_.method();if(this.cursor=n-_.s_size,b)return _.result}if((s=_.substring_i)<0)return 0}},replace_s:function(t,i,s){var e=s.length-(i-t),n=r.substring(0,t),u=r.substring(i);return r=n+s+u,this.limit+=e,this.cursor>=i?this.cursor+=e:this.cursor>t&&(this.cursor=t),e},slice_check:function(){if(this.bra<0||this.bra>this.ket||this.ket>this.limit||this.limit>r.length)throw"faulty slice operation"},slice_from:function(r){this.slice_check(),this.replace_s(this.bra,this.ket,r)},slice_del:function(){this.slice_from("")},insert:function(r,t,i){var s=this.replace_s(r,t,i);r<=this.bra&&(this.bra+=s),r<=this.ket&&(this.ket+=s)},slice_to:function(){return this.slice_check(),r.substring(this.bra,this.ket)},eq_v_b:function(r){return this.eq_s_b(r.length,r)}}}},r.trimmerSupport={generateTrimmer:function(r){var t=new RegExp("^[^"+r+"]+"),i=new RegExp("[^"+r+"]+$");return function(r){return"function"==typeof r.update?r.update(function(r){return r.replace(t,"").replace(i,"")}):r.replace(t,"").replace(i,"")}}}}});

18
v0.6.5/assets/javascripts/lunr/min/lunr.sv.min.js vendored
Unescape View File

@ -0,0 +1,18 @@
/*!
* Lunr languages, `Swedish` language
* https://github.com/MihaiValentin/lunr-languages
*
* Copyright 2014, Mihai Valentin
* http://www.mozilla.org/MPL/
*/
/*!
* based on
* Snowball JavaScript Library v0.3
* http://code.google.com/p/urim/
* http://snowball.tartarus.org/
*
* Copyright 2010, Oleg Mazko
* http://www.mozilla.org/MPL/
*/
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r():r()(e.lunr)}(this,function(){return function(e){if(void 0===e)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===e.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");e.sv=function(){this.pipeline.reset(),this.pipeline.add(e.sv.trimmer,e.sv.stopWordFilter,e.sv.stemmer),this.searchPipeline&&(this.searchPipeline.reset(),this.searchPipeline.add(e.sv.stemmer))},e.sv.wordCharacters="A-Za-zªºÀ-ÖØ-öø-ʸˠ-ˤᴀ-ᴥᴬ-ᵜᵢ-ᵥᵫ-ᵷᵹ-ᶾḀ-ỿⁱⁿₐ-ₜKÅℲⅎⅠ-ↈⱠ-ⱿꜢ-ꞇꞋ-ꞭꞰ-ꞷꟷ-ꟿꬰ-ꭚꭜ-ꭤff-stA--",e.sv.trimmer=e.trimmerSupport.generateTrimmer(e.sv.wordCharacters),e.Pipeline.registerFunction(e.sv.trimmer,"trimmer-sv"),e.sv.stemmer=function(){var r=e.stemmerSupport.Among,n=e.stemmerSupport.SnowballProgram,t=new function(){function e(){var e,r=w.cursor+3;if(o=w.limit,0<=r||r<=w.limit){for(a=r;;){if(e=w.cursor,w.in_grouping(l,97,246)){w.cursor=e;break}if(w.cursor=e,w.cursor>=w.limit)return;w.cursor++}for(;!w.out_grouping(l,97,246);){if(w.cursor>=w.limit)return;w.cursor++}o=w.cursor,o<a&&(o=a)}}function t(){var e,r=w.limit_backward;if(w.cursor>=o&&(w.limit_backward=o,w.cursor=w.limit,w.ket=w.cursor,e=w.find_among_b(u,37),w.limit_backward=r,e))switch(w.bra=w.cursor,e){case 1:w.slice_del();break;case 2:w.in_grouping_b(d,98,121)&&w.slice_del()}}function i(){var e=w.limit_backward;w.cursor>=o&&(w.limit_backward=o,w.cursor=w.limit,w.find_among_b(c,7)&&(w.cursor=w.limit,w.ket=w.cursor,w.cursor>w.limit_backward&&(w.bra=--w.cursor,w.slice_del())),w.limit_backward=e)}function s(){var e,r;if(w.cursor>=o){if(r=w.limit_backward,w.limit_backward=o,w.cursor=w.limit,w.ket=w.cursor,e=w.find_among_b(m,5))switch(w.bra=w.cursor,e){case 1:w.slice_del();break;case 2:w.slice_from("lös");break;case 3:w.slice_from("full")}w.limit_backward=r}}var a,o,u=[new r("a",-1,1),new r("arna",0,1),new r("erna",0,1),new r("heterna",2,1),new r("orna",0,1),new r("ad",-1,1),new r("e",-1,1),new r("ade",6,1),new r("ande",6,1),new r("arne",6,1),new r("are",6,1),new r("aste",6,1),new r("en",-1,1),new r("anden",12,1),new r("aren",12,1),new r("heten",12,1),new r("ern",-1,1),new r("ar",-1,1),new r("er",-1,1),new r("heter",18,1),new r("or",-1,1),new r("s",-1,2),new r("as",21,1),new r("arnas",22,1),new r("ernas",22,1),new r("ornas",22,1),new r("es",21,1),new r("ades",26,1),new r("andes",26,1),new r("ens",21,1),new r("arens",29,1),new r("hetens",29,1),new r("erns",21,1),new r("at",-1,1),new r("andet",-1,1),new r("het",-1,1),new r("ast",-1,1)],c=[new r("dd",-1,-1),new r("gd",-1,-1),new r("nn",-1,-1),new r("dt",-1,-1),new r("gt",-1,-1),new r("kt",-1,-1),new r("tt",-1,-1)],m=[new r("ig",-1,1),new r("lig",0,1),new r("els",-1,1),new r("fullt",-1,3),new r("löst",-1,2)],l=[17,65,16,1,0,0,0,0,0,0,0,0,0,0,0,0,24,0,32],d=[119,127,149],w=new n;this.setCurrent=function(e){w.setCurrent(e)},this.getCurrent=function(){return w.getCurrent()},this.stem=function(){var r=w.cursor;return e(),w.limit_backward=r,w.cursor=w.limit,t(),w.cursor=w.limit,i(),w.cursor=w.limit,s(),!0}};return function(e){return"function"==typeof e.update?e.update(function(e){return t.setCurrent(e),t.stem(),t.getCurrent()}):(t.setCurrent(e),t.stem(),t.getCurrent())}}(),e.Pipeline.registerFunction(e.sv.stemmer,"stemmer-sv"),e.sv.stopWordFilter=e.generateStopWordFilter("alla allt att av blev bli blir blivit de dem den denna deras dess dessa det detta dig din dina ditt du där då efter ej eller en er era ert ett från för ha hade han hans har henne hennes hon honom hur här i icke ingen inom inte jag ju kan kunde man med mellan men mig min mina mitt mot mycket ni nu när någon något några och om oss på samma sedan sig sin sina sitta själv skulle som så sådan sådana sådant till under upp ut utan vad var vara varför varit varje vars vart vem vi vid vilka vilkas vilken vilket vår våra vårt än är åt över".split(" ")),e.Pipeline.registerFunction(e.sv.stopWordFilter,"stopWordFilter-sv")}});

1
v0.6.5/assets/javascripts/lunr/min/lunr.th.min.js vendored
Unescape View File

@ -0,0 +1 @@
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r():r()(e.lunr)}(this,function(){return function(e){if(void 0===e)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===e.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");var r="2"==e.version[0];e.th=function(){this.pipeline.reset(),this.pipeline.add(e.th.trimmer),r?this.tokenizer=e.th.tokenizer:(e.tokenizer&&(e.tokenizer=e.th.tokenizer),this.tokenizerFn&&(this.tokenizerFn=e.th.tokenizer))},e.th.wordCharacters="[฀-๿]",e.th.trimmer=e.trimmerSupport.generateTrimmer(e.th.wordCharacters),e.Pipeline.registerFunction(e.th.trimmer,"trimmer-th");var t=e.wordcut;t.init(),e.th.tokenizer=function(i){if(!arguments.length||null==i||void 0==i)return[];if(Array.isArray(i))return i.map(function(t){return r?new e.Token(t):t});var n=i.toString().replace(/^\s+/,"");return t.cut(n).split("|")}}});

18
v0.6.5/assets/javascripts/lunr/min/lunr.tr.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/javascripts/lunr/min/lunr.vi.min.js vendored
Unescape View File

@ -0,0 +1 @@
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r():r()(e.lunr)}(this,function(){return function(e){if(void 0===e)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===e.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");e.vi=function(){this.pipeline.reset(),this.pipeline.add(e.vi.stopWordFilter,e.vi.trimmer)},e.vi.wordCharacters="[A-Za-ẓ̀͐́͑̉̃̓ÂâÊêÔôĂ-ăĐ-đƠ-ơƯ-ư]",e.vi.trimmer=e.trimmerSupport.generateTrimmer(e.vi.wordCharacters),e.Pipeline.registerFunction(e.vi.trimmer,"trimmer-vi"),e.vi.stopWordFilter=e.generateStopWordFilter("là cái nhưng mà".split(" "))}});

1
v0.6.5/assets/javascripts/lunr/min/lunr.zh.min.js vendored
Unescape View File

@ -0,0 +1 @@
!function(e,r){"function"==typeof define&&define.amd?define(r):"object"==typeof exports?module.exports=r(require("nodejieba")):r()(e.lunr)}(this,function(e){return function(r,t){if(void 0===r)throw new Error("Lunr is not present. Please include / require Lunr before this script.");if(void 0===r.stemmerSupport)throw new Error("Lunr stemmer support is not present. Please include / require Lunr stemmer support before this script.");var i="2"==r.version[0];r.zh=function(){this.pipeline.reset(),this.pipeline.add(r.zh.trimmer,r.zh.stopWordFilter,r.zh.stemmer),i?this.tokenizer=r.zh.tokenizer:(r.tokenizer&&(r.tokenizer=r.zh.tokenizer),this.tokenizerFn&&(this.tokenizerFn=r.zh.tokenizer))},r.zh.tokenizer=function(n){if(!arguments.length||null==n||void 0==n)return[];if(Array.isArray(n))return n.map(function(e){return i?new r.Token(e.toLowerCase()):e.toLowerCase()});t&&e.load(t);var o=n.toString().trim().toLowerCase(),s=[];e.cut(o,!0).forEach(function(e){s=s.concat(e.split(" "))}),s=s.filter(function(e){return!!e});var u=0;return s.map(function(e,t){if(i){var n=o.indexOf(e,u),s={};return s.position=[n,e.length],s.index=t,u=n,new r.Token(e,s)}return e})},r.zh.wordCharacters="\\w一-龥",r.zh.trimmer=r.trimmerSupport.generateTrimmer(r.zh.wordCharacters),r.Pipeline.registerFunction(r.zh.trimmer,"trimmer-zh"),r.zh.stemmer=function(){return function(e){return e}}(),r.Pipeline.registerFunction(r.zh.stemmer,"stemmer-zh"),r.zh.stopWordFilter=r.generateStopWordFilter("的 一 不 在 人 有 是 为 以 于 上 他 而 后 之 来 及 了 因 下 可 到 由 这 与 也 此 但 并 个 其 已 无 小 我 们 起 最 再 今 去 好 只 又 或 很 亦 某 把 那 你 乃 它 吧 被 比 别 趁 当 从 到 得 打 凡 儿 尔 该 各 给 跟 和 何 还 即 几 既 看 据 距 靠 啦 了 另 么 每 们 嘛 拿 哪 那 您 凭 且 却 让 仍 啥 如 若 使 谁 虽 随 同 所 她 哇 嗡 往 哪 些 向 沿 哟 用 于 咱 则 怎 曾 至 致 着 诸 自".split(" ")),r.Pipeline.registerFunction(r.zh.stopWordFilter,"stopWordFilter-zh")}});

206
v0.6.5/assets/javascripts/lunr/tinyseg.js
Unescape View File

@ -0,0 +1,206 @@
/**
* export the module via AMD, CommonJS or as a browser global
* Export code from https://github.com/umdjs/umd/blob/master/returnExports.js
*/
;(function (root, factory) {
if (typeof define === 'function' && define.amd) {
// AMD. Register as an anonymous module.
define(factory)
} else if (typeof exports === 'object') {
/**
* Node. Does not work with strict CommonJS, but
* only CommonJS-like environments that support module.exports,
* like Node.
*/
module.exports = factory()
} else {
// Browser globals (root is window)
factory()(root.lunr);
}
}(this, function () {
/**
* Just return a value to define the module export.
* This example returns an object, but the module
* can return a function as the exported value.
*/
return function(lunr) {
// TinySegmenter 0.1 -- Super compact Japanese tokenizer in Javascript
// (c) 2008 Taku Kudo <taku@chasen.org>
// TinySegmenter is freely distributable under the terms of a new BSD licence.
// For details, see http://chasen.org/~taku/software/TinySegmenter/LICENCE.txt
function TinySegmenter() {
var patterns = {
"[一二三四五六七八九十百千万億兆]":"M",
"[一-龠々〆ヵヶ]":"H",
"[ぁ-ん]":"I",
"[ァ-ヴーア-ン゙ー]":"K",
"[a-zA-Z--]":"A",
"[0-9-]":"N"
}
this.chartype_ = [];
for (var i in patterns) {
var regexp = new RegExp(i);
this.chartype_.push([regexp, patterns[i]]);
}
this.BIAS__ = -332
this.BC1__ = {"HH":6,"II":2461,"KH":406,"OH":-1378};
this.BC2__ = {"AA":-3267,"AI":2744,"AN":-878,"HH":-4070,"HM":-1711,"HN":4012,"HO":3761,"IA":1327,"IH":-1184,"II":-1332,"IK":1721,"IO":5492,"KI":3831,"KK":-8741,"MH":-3132,"MK":3334,"OO":-2920};
this.BC3__ = {"HH":996,"HI":626,"HK":-721,"HN":-1307,"HO":-836,"IH":-301,"KK":2762,"MK":1079,"MM":4034,"OA":-1652,"OH":266};
this.BP1__ = {"BB":295,"OB":304,"OO":-125,"UB":352};
this.BP2__ = {"BO":60,"OO":-1762};
this.BQ1__ = {"BHH":1150,"BHM":1521,"BII":-1158,"BIM":886,"BMH":1208,"BNH":449,"BOH":-91,"BOO":-2597,"OHI":451,"OIH":-296,"OKA":1851,"OKH":-1020,"OKK":904,"OOO":2965};
this.BQ2__ = {"BHH":118,"BHI":-1159,"BHM":466,"BIH":-919,"BKK":-1720,"BKO":864,"OHH":-1139,"OHM":-181,"OIH":153,"UHI":-1146};
this.BQ3__ = {"BHH":-792,"BHI":2664,"BII":-299,"BKI":419,"BMH":937,"BMM":8335,"BNN":998,"BOH":775,"OHH":2174,"OHM":439,"OII":280,"OKH":1798,"OKI":-793,"OKO":-2242,"OMH":-2402,"OOO":11699};
this.BQ4__ = {"BHH":-3895,"BIH":3761,"BII":-4654,"BIK":1348,"BKK":-1806,"BMI":-3385,"BOO":-12396,"OAH":926,"OHH":266,"OHK":-2036,"ONN":-973};
this.BW1__ = {",と":660,",同":727,"B1あ":1404,"B1同":542,"、と":660,"、同":727,"」と":1682,"あっ":1505,"いう":1743,"いっ":-2055,"いる":672,"うし":-4817,"うん":665,"から":3472,"がら":600,"こう":-790,"こと":2083,"こん":-1262,"さら":-4143,"さん":4573,"した":2641,"して":1104,"すで":-3399,"そこ":1977,"それ":-871,"たち":1122,"ため":601,"った":3463,"つい":-802,"てい":805,"てき":1249,"でき":1127,"です":3445,"では":844,"とい":-4915,"とみ":1922,"どこ":3887,"ない":5713,"なっ":3015,"など":7379,"なん":-1113,"にし":2468,"には":1498,"にも":1671,"に対":-912,"の一":-501,"の中":741,"ませ":2448,"まで":1711,"まま":2600,"まる":-2155,"やむ":-1947,"よっ":-2565,"れた":2369,"れで":-913,"をし":1860,"を見":731,"亡く":-1886,"京都":2558,"取り":-2784,"大き":-2604,"大阪":1497,"平方":-2314,"引き":-1336,"日本":-195,"本当":-2423,"毎日":-2113,"目指":-724,"B1あ":1404,"B1同":542,"」と":1682};
this.BW2__ = {"..":-11822,"11":-669,"――":-5730,"":-13175,"いう":-1609,"うか":2490,"かし":-1350,"かも":-602,"から":-7194,"かれ":4612,"がい":853,"がら":-3198,"きた":1941,"くな":-1597,"こと":-8392,"この":-4193,"させ":4533,"され":13168,"さん":-3977,"しい":-1819,"しか":-545,"した":5078,"して":972,"しな":939,"その":-3744,"たい":-1253,"たた":-662,"ただ":-3857,"たち":-786,"たと":1224,"たは":-939,"った":4589,"って":1647,"っと":-2094,"てい":6144,"てき":3640,"てく":2551,"ては":-3110,"ても":-3065,"でい":2666,"でき":-1528,"でし":-3828,"です":-4761,"でも":-4203,"とい":1890,"とこ":-1746,"とと":-2279,"との":720,"とみ":5168,"とも":-3941,"ない":-2488,"なが":-1313,"など":-6509,"なの":2614,"なん":3099,"にお":-1615,"にし":2748,"にな":2454,"によ":-7236,"に対":-14943,"に従":-4688,"に関":-11388,"のか":2093,"ので":-7059,"のに":-6041,"のの":-6125,"はい":1073,"はが":-1033,"はず":-2532,"ばれ":1813,"まし":-1316,"まで":-6621,"まれ":5409,"めて":-3153,"もい":2230,"もの":-10713,"らか":-944,"らし":-1611,"らに":-1897,"りし":651,"りま":1620,"れた":4270,"れて":849,"れば":4114,"ろう":6067,"われ":7901,"を通":-11877,"んだ":728,"んな":-4115,"一人":602,"一方":-1375,"一日":970,"一部":-1051,"上が":-4479,"会社":-1116,"出て":2163,"分の":-7758,"同党":970,"同日":-913,"大阪":-2471,"委員":-1250,"少な":-1050,"年度":-8669,"年間":-1626,"府県":-2363,"手権":-1982,"新聞":-4066,"日新":-722,"日本":-7068,"日米":3372,"曜日":-601,"朝鮮":-2355,"本人":-2697,"東京":-1543,"然と":-1384,"社会":-1276,"立て":-990,"第に":-1612,"米国":-4268,"":-669};
this.BW3__ = {"あた":-2194,"あり":719,"ある":3846,"い.":-1185,"い。":-1185,"いい":5308,"いえ":2079,"いく":3029,"いた":2056,"いっ":1883,"いる":5600,"いわ":1527,"うち":1117,"うと":4798,"えと":1454,"か.":2857,"か。":2857,"かけ":-743,"かっ":-4098,"かに":-669,"から":6520,"かり":-2670,"が,":1816,"が、":1816,"がき":-4855,"がけ":-1127,"がっ":-913,"がら":-4977,"がり":-2064,"きた":1645,"けど":1374,"こと":7397,"この":1542,"ころ":-2757,"さい":-714,"さを":976,"し,":1557,"し、":1557,"しい":-3714,"した":3562,"して":1449,"しな":2608,"しま":1200,"す.":-1310,"す。":-1310,"する":6521,"ず,":3426,"ず、":3426,"ずに":841,"そう":428,"た.":8875,"た。":8875,"たい":-594,"たの":812,"たり":-1183,"たる":-853,"だ.":4098,"だ。":4098,"だっ":1004,"った":-4748,"って":300,"てい":6240,"てお":855,"ても":302,"です":1437,"でに":-1482,"では":2295,"とう":-1387,"とし":2266,"との":541,"とも":-3543,"どう":4664,"ない":1796,"なく":-903,"など":2135,"に,":-1021,"に、":-1021,"にし":1771,"にな":1906,"には":2644,"の,":-724,"の、":-724,"の子":-1000,"は,":1337,"は、":1337,"べき":2181,"まし":1113,"ます":6943,"まっ":-1549,"まで":6154,"まれ":-793,"らし":1479,"られ":6820,"るる":3818,"れ,":854,"れ、":854,"れた":1850,"れて":1375,"れば":-3246,"れる":1091,"われ":-605,"んだ":606,"んで":798,"カ月":990,"会議":860,"入り":1232,"大会":2217,"始め":1681,"市":965,"新聞":-5055,"日,":974,"日、":974,"社会":2024,"カ月":990};
this.TC1__ = {"AAA":1093,"HHH":1029,"HHM":580,"HII":998,"HOH":-390,"HOM":-331,"IHI":1169,"IOH":-142,"IOI":-1015,"IOM":467,"MMH":187,"OOI":-1832};
this.TC2__ = {"HHO":2088,"HII":-1023,"HMM":-1154,"IHI":-1965,"KKH":703,"OII":-2649};
this.TC3__ = {"AAA":-294,"HHH":346,"HHI":-341,"HII":-1088,"HIK":731,"HOH":-1486,"IHH":128,"IHI":-3041,"IHO":-1935,"IIH":-825,"IIM":-1035,"IOI":-542,"KHH":-1216,"KKA":491,"KKH":-1217,"KOK":-1009,"MHH":-2694,"MHM":-457,"MHO":123,"MMH":-471,"NNH":-1689,"NNO":662,"OHO":-3393};
this.TC4__ = {"HHH":-203,"HHI":1344,"HHK":365,"HHM":-122,"HHN":182,"HHO":669,"HIH":804,"HII":679,"HOH":446,"IHH":695,"IHO":-2324,"IIH":321,"III":1497,"IIO":656,"IOO":54,"KAK":4845,"KKA":3386,"KKK":3065,"MHH":-405,"MHI":201,"MMH":-241,"MMM":661,"MOM":841};
this.TQ1__ = {"BHHH":-227,"BHHI":316,"BHIH":-132,"BIHH":60,"BIII":1595,"BNHH":-744,"BOHH":225,"BOOO":-908,"OAKK":482,"OHHH":281,"OHIH":249,"OIHI":200,"OIIH":-68};
this.TQ2__ = {"BIHH":-1401,"BIII":-1033,"BKAK":-543,"BOOO":-5591};
this.TQ3__ = {"BHHH":478,"BHHM":-1073,"BHIH":222,"BHII":-504,"BIIH":-116,"BIII":-105,"BMHI":-863,"BMHM":-464,"BOMH":620,"OHHH":346,"OHHI":1729,"OHII":997,"OHMH":481,"OIHH":623,"OIIH":1344,"OKAK":2792,"OKHH":587,"OKKA":679,"OOHH":110,"OOII":-685};
this.TQ4__ = {"BHHH":-721,"BHHM":-3604,"BHII":-966,"BIIH":-607,"BIII":-2181,"OAAA":-2763,"OAKK":180,"OHHH":-294,"OHHI":2446,"OHHO":480,"OHIH":-1573,"OIHH":1935,"OIHI":-493,"OIIH":626,"OIII":-4007,"OKAK":-8156};
this.TW1__ = {"につい":-4681,"東京都":2026};
this.TW2__ = {"ある程":-2049,"いった":-1256,"ころが":-2434,"しょう":3873,"その後":-4430,"だって":-1049,"ていた":1833,"として":-4657,"ともに":-4517,"もので":1882,"一気に":-792,"初めて":-1512,"同時に":-8097,"大きな":-1255,"対して":-2721,"社会党":-3216};
this.TW3__ = {"いただ":-1734,"してい":1314,"として":-4314,"につい":-5483,"にとっ":-5989,"に当た":-6247,"ので,":-727,"ので、":-727,"のもの":-600,"れから":-3752,"十二月":-2287};
this.TW4__ = {"いう.":8576,"いう。":8576,"からな":-2348,"してい":2958,"たが,":1516,"たが、":1516,"ている":1538,"という":1349,"ました":5543,"ません":1097,"ようと":-4258,"よると":5865};
this.UC1__ = {"A":484,"K":93,"M":645,"O":-505};
this.UC2__ = {"A":819,"H":1059,"I":409,"M":3987,"N":5775,"O":646};
this.UC3__ = {"A":-1370,"I":2311};
this.UC4__ = {"A":-2643,"H":1809,"I":-1032,"K":-3450,"M":3565,"N":3876,"O":6646};
this.UC5__ = {"H":313,"I":-1238,"K":-799,"M":539,"O":-831};
this.UC6__ = {"H":-506,"I":-253,"K":87,"M":247,"O":-387};
this.UP1__ = {"O":-214};
this.UP2__ = {"B":69,"O":935};
this.UP3__ = {"B":189};
this.UQ1__ = {"BH":21,"BI":-12,"BK":-99,"BN":142,"BO":-56,"OH":-95,"OI":477,"OK":410,"OO":-2422};
this.UQ2__ = {"BH":216,"BI":113,"OK":1759};
this.UQ3__ = {"BA":-479,"BH":42,"BI":1913,"BK":-7198,"BM":3160,"BN":6427,"BO":14761,"OI":-827,"ON":-3212};
this.UW1__ = {",":156,"、":156,"「":-463,"あ":-941,"う":-127,"が":-553,"き":121,"こ":505,"で":-201,"と":-547,"ど":-123,"に":-789,"の":-185,"は":-847,"も":-466,"や":-470,"よ":182,"ら":-292,"り":208,"れ":169,"を":-446,"ん":-137,"・":-135,"主":-402,"京":-268,"区":-912,"午":871,"国":-460,"大":561,"委":729,"市":-411,"日":-141,"理":361,"生":-408,"県":-386,"都":-718,"「":-463,"・":-135};
this.UW2__ = {",":-829,"、":-829,"":892,"「":-645,"」":3145,"あ":-538,"い":505,"う":134,"お":-502,"か":1454,"が":-856,"く":-412,"こ":1141,"さ":878,"ざ":540,"し":1529,"す":-675,"せ":300,"そ":-1011,"た":188,"だ":1837,"つ":-949,"て":-291,"で":-268,"と":-981,"ど":1273,"な":1063,"に":-1764,"の":130,"は":-409,"ひ":-1273,"べ":1261,"ま":600,"も":-1263,"や":-402,"よ":1639,"り":-579,"る":-694,"れ":571,"を":-2516,"ん":2095,"ア":-587,"カ":306,"キ":568,"ッ":831,"三":-758,"不":-2150,"世":-302,"中":-968,"主":-861,"事":492,"人":-123,"会":978,"保":362,"入":548,"初":-3025,"副":-1566,"北":-3414,"区":-422,"大":-1769,"天":-865,"太":-483,"子":-1519,"学":760,"実":1023,"小":-2009,"市":-813,"年":-1060,"強":1067,"手":-1519,"揺":-1033,"政":1522,"文":-1355,"新":-1682,"日":-1815,"明":-1462,"最":-630,"朝":-1843,"本":-1650,"東":-931,"果":-665,"次":-2378,"民":-180,"気":-1740,"理":752,"発":529,"目":-1584,"相":-242,"県":-1165,"立":-763,"第":810,"米":509,"自":-1353,"行":838,"西":-744,"見":-3874,"調":1010,"議":1198,"込":3041,"開":1758,"間":-1257,"「":-645,"」":3145,"ッ":831,"ア":-587,"カ":306,"キ":568};
this.UW3__ = {",":4889,"1":-800,"":-1723,"、":4889,"々":-2311,"":5827,"」":2670,"〓":-3573,"あ":-2696,"い":1006,"う":2342,"え":1983,"お":-4864,"か":-1163,"が":3271,"く":1004,"け":388,"げ":401,"こ":-3552,"ご":-3116,"さ":-1058,"し":-395,"す":584,"せ":3685,"そ":-5228,"た":842,"ち":-521,"っ":-1444,"つ":-1081,"て":6167,"で":2318,"と":1691,"ど":-899,"な":-2788,"に":2745,"の":4056,"は":4555,"ひ":-2171,"ふ":-1798,"へ":1199,"ほ":-5516,"ま":-4384,"み":-120,"め":1205,"も":2323,"や":-788,"よ":-202,"ら":727,"り":649,"る":5905,"れ":2773,"わ":-1207,"を":6620,"ん":-518,"ア":551,"グ":1319,"ス":874,"ッ":-1350,"ト":521,"ム":1109,"ル":1591,"ロ":2201,"ン":278,"・":-3794,"一":-1619,"下":-1759,"世":-2087,"両":3815,"中":653,"主":-758,"予":-1193,"二":974,"人":2742,"今":792,"他":1889,"以":-1368,"低":811,"何":4265,"作":-361,"保":-2439,"元":4858,"党":3593,"全":1574,"公":-3030,"六":755,"共":-1880,"円":5807,"再":3095,"分":457,"初":2475,"別":1129,"前":2286,"副":4437,"力":365,"動":-949,"務":-1872,"化":1327,"北":-1038,"区":4646,"千":-2309,"午":-783,"協":-1006,"口":483,"右":1233,"各":3588,"合":-241,"同":3906,"和":-837,"員":4513,"国":642,"型":1389,"場":1219,"外":-241,"妻":2016,"学":-1356,"安":-423,"実":-1008,"家":1078,"小":-513,"少":-3102,"州":1155,"市":3197,"平":-1804,"年":2416,"広":-1030,"府":1605,"度":1452,"建":-2352,"当":-3885,"得":1905,"思":-1291,"性":1822,"戸":-488,"指":-3973,"政":-2013,"教":-1479,"数":3222,"文":-1489,"新":1764,"日":2099,"旧":5792,"昨":-661,"時":-1248,"曜":-951,"最":-937,"月":4125,"期":360,"李":3094,"村":364,"東":-805,"核":5156,"森":2438,"業":484,"氏":2613,"民":-1694,"決":-1073,"法":1868,"海":-495,"無":979,"物":461,"特":-3850,"生":-273,"用":914,"町":1215,"的":7313,"直":-1835,"省":792,"県":6293,"知":-1528,"私":4231,"税":401,"立":-960,"第":1201,"米":7767,"系":3066,"約":3663,"級":1384,"統":-4229,"総":1163,"線":1255,"者":6457,"能":725,"自":-2869,"英":785,"見":1044,"調":-562,"財":-733,"費":1777,"車":1835,"軍":1375,"込":-1504,"通":-1136,"選":-681,"郎":1026,"郡":4404,"部":1200,"金":2163,"長":421,"開":-1432,"間":1302,"関":-1282,"雨":2009,"電":-1045,"非":2066,"駅":1620,"":-800,"」":2670,"・":-3794,"ッ":-1350,"ア":551,"グ":1319,"ス":874,"ト":521,"ム":1109,"ル":1591,"ロ":2201,"ン":278};
this.UW4__ = {",":3930,".":3508,"―":-4841,"、":3930,"。":3508,"":4999,"「":1895,"」":3798,"〓":-5156,"あ":4752,"い":-3435,"う":-640,"え":-2514,"お":2405,"か":530,"が":6006,"き":-4482,"ぎ":-3821,"く":-3788,"け":-4376,"げ":-4734,"こ":2255,"ご":1979,"さ":2864,"し":-843,"じ":-2506,"す":-731,"ず":1251,"せ":181,"そ":4091,"た":5034,"だ":5408,"ち":-3654,"っ":-5882,"つ":-1659,"て":3994,"で":7410,"と":4547,"な":5433,"に":6499,"ぬ":1853,"ね":1413,"の":7396,"は":8578,"ば":1940,"ひ":4249,"び":-4134,"ふ":1345,"へ":6665,"べ":-744,"ほ":1464,"ま":1051,"み":-2082,"む":-882,"め":-5046,"も":4169,"ゃ":-2666,"や":2795,"ょ":-1544,"よ":3351,"ら":-2922,"り":-9726,"る":-14896,"れ":-2613,"ろ":-4570,"わ":-1783,"を":13150,"ん":-2352,"カ":2145,"コ":1789,"セ":1287,"ッ":-724,"ト":-403,"メ":-1635,"ラ":-881,"リ":-541,"ル":-856,"ン":-3637,"・":-4371,"ー":-11870,"一":-2069,"中":2210,"予":782,"事":-190,"井":-1768,"人":1036,"以":544,"会":950,"体":-1286,"作":530,"側":4292,"先":601,"党":-2006,"共":-1212,"内":584,"円":788,"初":1347,"前":1623,"副":3879,"力":-302,"動":-740,"務":-2715,"化":776,"区":4517,"協":1013,"参":1555,"合":-1834,"和":-681,"員":-910,"器":-851,"回":1500,"国":-619,"園":-1200,"地":866,"場":-1410,"塁":-2094,"士":-1413,"多":1067,"大":571,"子":-4802,"学":-1397,"定":-1057,"寺":-809,"小":1910,"屋":-1328,"山":-1500,"島":-2056,"川":-2667,"市":2771,"年":374,"庁":-4556,"後":456,"性":553,"感":916,"所":-1566,"支":856,"改":787,"政":2182,"教":704,"文":522,"方":-856,"日":1798,"時":1829,"最":845,"月":-9066,"木":-485,"来":-442,"校":-360,"業":-1043,"氏":5388,"民":-2716,"気":-910,"沢":-939,"済":-543,"物":-735,"率":672,"球":-1267,"生":-1286,"産":-1101,"田":-2900,"町":1826,"的":2586,"目":922,"省":-3485,"県":2997,"空":-867,"立":-2112,"第":788,"米":2937,"系":786,"約":2171,"経":1146,"統":-1169,"総":940,"線":-994,"署":749,"者":2145,"能":-730,"般":-852,"行":-792,"規":792,"警":-1184,"議":-244,"谷":-1000,"賞":730,"車":-1481,"軍":1158,"輪":-1433,"込":-3370,"近":929,"道":-1291,"選":2596,"郎":-4866,"都":1192,"野":-1100,"銀":-2213,"長":357,"間":-2344,"院":-2297,"際":-2604,"電":-878,"領":-1659,"題":-792,"館":-1984,"首":1749,"高":2120,"「":1895,"」":3798,"・":-4371,"ッ":-724,"ー":-11870,"カ":2145,"コ":1789,"セ":1287,"ト":-403,"メ":-1635,"ラ":-881,"リ":-541,"ル":-856,"ン":-3637};
this.UW5__ = {",":465,".":-299,"1":-514,"E2":-32768,"]":-2762,"、":465,"。":-299,"「":363,"あ":1655,"い":331,"う":-503,"え":1199,"お":527,"か":647,"が":-421,"き":1624,"ぎ":1971,"く":312,"げ":-983,"さ":-1537,"し":-1371,"す":-852,"だ":-1186,"ち":1093,"っ":52,"つ":921,"て":-18,"で":-850,"と":-127,"ど":1682,"な":-787,"に":-1224,"の":-635,"は":-578,"べ":1001,"み":502,"め":865,"ゃ":3350,"ょ":854,"り":-208,"る":429,"れ":504,"わ":419,"を":-1264,"ん":327,"イ":241,"ル":451,"ン":-343,"中":-871,"京":722,"会":-1153,"党":-654,"務":3519,"区":-901,"告":848,"員":2104,"大":-1296,"学":-548,"定":1785,"嵐":-1304,"市":-2991,"席":921,"年":1763,"思":872,"所":-814,"挙":1618,"新":-1682,"日":218,"月":-4353,"査":932,"格":1356,"機":-1508,"氏":-1347,"田":240,"町":-3912,"的":-3149,"相":1319,"省":-1052,"県":-4003,"研":-997,"社":-278,"空":-813,"統":1955,"者":-2233,"表":663,"語":-1073,"議":1219,"選":-1018,"郎":-368,"長":786,"間":1191,"題":2368,"館":-689,"":-514,"":-32768,"「":363,"イ":241,"ル":451,"ン":-343};
this.UW6__ = {",":227,".":808,"1":-270,"E1":306,"、":227,"。":808,"あ":-307,"う":189,"か":241,"が":-73,"く":-121,"こ":-200,"じ":1782,"す":383,"た":-428,"っ":573,"て":-1014,"で":101,"と":-105,"な":-253,"に":-149,"の":-417,"は":-236,"も":-206,"り":187,"る":-135,"を":195,"ル":-673,"ン":-496,"一":-277,"中":201,"件":-800,"会":624,"前":302,"区":1792,"員":-1212,"委":798,"学":-960,"市":887,"広":-695,"後":535,"業":-697,"相":753,"社":-507,"福":974,"空":-822,"者":1811,"連":463,"郎":1082,"":-270,"":306,"ル":-673,"ン":-496};
return this;
}
TinySegmenter.prototype.ctype_ = function(str) {
for (var i in this.chartype_) {
if (str.match(this.chartype_[i][0])) {
return this.chartype_[i][1];
}
}
return "O";
}
TinySegmenter.prototype.ts_ = function(v) {
if (v) { return v; }
return 0;
}
TinySegmenter.prototype.segment = function(input) {
if (input == null || input == undefined || input == "") {
return [];
}
var result = [];
var seg = ["B3","B2","B1"];
var ctype = ["O","O","O"];
var o = input.split("");
for (i = 0; i < o.length; ++i) {
seg.push(o[i]);
ctype.push(this.ctype_(o[i]))
}
seg.push("E1");
seg.push("E2");
seg.push("E3");
ctype.push("O");
ctype.push("O");
ctype.push("O");
var word = seg[3];
var p1 = "U";
var p2 = "U";
var p3 = "U";
for (var i = 4; i < seg.length - 3; ++i) {
var score = this.BIAS__;
var w1 = seg[i-3];
var w2 = seg[i-2];
var w3 = seg[i-1];
var w4 = seg[i];
var w5 = seg[i+1];
var w6 = seg[i+2];
var c1 = ctype[i-3];
var c2 = ctype[i-2];
var c3 = ctype[i-1];
var c4 = ctype[i];
var c5 = ctype[i+1];
var c6 = ctype[i+2];
score += this.ts_(this.UP1__[p1]);
score += this.ts_(this.UP2__[p2]);
score += this.ts_(this.UP3__[p3]);
score += this.ts_(this.BP1__[p1 + p2]);
score += this.ts_(this.BP2__[p2 + p3]);
score += this.ts_(this.UW1__[w1]);
score += this.ts_(this.UW2__[w2]);
score += this.ts_(this.UW3__[w3]);
score += this.ts_(this.UW4__[w4]);
score += this.ts_(this.UW5__[w5]);
score += this.ts_(this.UW6__[w6]);
score += this.ts_(this.BW1__[w2 + w3]);
score += this.ts_(this.BW2__[w3 + w4]);
score += this.ts_(this.BW3__[w4 + w5]);
score += this.ts_(this.TW1__[w1 + w2 + w3]);
score += this.ts_(this.TW2__[w2 + w3 + w4]);
score += this.ts_(this.TW3__[w3 + w4 + w5]);
score += this.ts_(this.TW4__[w4 + w5 + w6]);
score += this.ts_(this.UC1__[c1]);
score += this.ts_(this.UC2__[c2]);
score += this.ts_(this.UC3__[c3]);
score += this.ts_(this.UC4__[c4]);
score += this.ts_(this.UC5__[c5]);
score += this.ts_(this.UC6__[c6]);
score += this.ts_(this.BC1__[c2 + c3]);
score += this.ts_(this.BC2__[c3 + c4]);
score += this.ts_(this.BC3__[c4 + c5]);
score += this.ts_(this.TC1__[c1 + c2 + c3]);
score += this.ts_(this.TC2__[c2 + c3 + c4]);
score += this.ts_(this.TC3__[c3 + c4 + c5]);
score += this.ts_(this.TC4__[c4 + c5 + c6]);
// score += this.ts_(this.TC5__[c4 + c5 + c6]);
score += this.ts_(this.UQ1__[p1 + c1]);
score += this.ts_(this.UQ2__[p2 + c2]);
score += this.ts_(this.UQ3__[p3 + c3]);
score += this.ts_(this.BQ1__[p2 + c2 + c3]);
score += this.ts_(this.BQ2__[p2 + c3 + c4]);
score += this.ts_(this.BQ3__[p3 + c2 + c3]);
score += this.ts_(this.BQ4__[p3 + c3 + c4]);
score += this.ts_(this.TQ1__[p2 + c1 + c2 + c3]);
score += this.ts_(this.TQ2__[p2 + c2 + c3 + c4]);
score += this.ts_(this.TQ3__[p3 + c1 + c2 + c3]);
score += this.ts_(this.TQ4__[p3 + c2 + c3 + c4]);
var p = "O";
if (score > 0) {
result.push(word);
word = "";
p = "B";
}
p1 = p2;
p2 = p3;
p3 = p;
word += seg[i];
}
result.push(word);
return result;
}
lunr.TinySegmenter = TinySegmenter;
};
}));

6708
v0.6.5/assets/javascripts/lunr/wordcut.js
View File

File diff suppressed because one or more lines are too long

2
v0.6.5/assets/javascripts/workers/search.81d897cb.min.js vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/stylesheets/main.adb7b03c.min.css vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/stylesheets/palette.fe799546.min.css vendored
View File

File diff suppressed because one or more lines are too long

1
v0.6.5/assets/stylesheets/vendor/mermaid.733f213f.min.css vendored
Unescape View File

@ -0,0 +1 @@
.node circle,.node ellipse,.node path,.node polygon,.node rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}marker{fill:var(--md-mermaid-edge-color)!important}.edgeLabel .label rect{fill:transparent}.label{color:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.label foreignobject{line-height:normal;overflow:visible}.label div .edgeLabel{color:var(--md-mermaid-label-fg-color)}.edgeLabel,.edgeLabel rect{fill:var(--md-mermaid-label-bg-color);background-color:var(--md-mermaid-label-bg-color)}.edgePath .path,.flowchart-link{stroke:var(--md-mermaid-edge-color)}.edgePath .arrowheadPath{fill:var(--md-mermaid-edge-color);stroke:none}.cluster rect{fill:var(--md-default-fg-color--lightest);stroke:var(--md-default-fg-color--lighter)}g.classGroup line,g.classGroup rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}g.classGroup text{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.classLabel .box{fill:var(--md-mermaid-label-bg-color);background-color:var(--md-mermaid-label-bg-color);opacity:1}.classLabel .label{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.relation{stroke:var(--md-mermaid-edge-color)}.cardinality{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.cardinality text{fill:inherit!important}#compositionEnd,#compositionStart,#dependencyEnd,#dependencyStart,#extensionEnd,#extensionStart{fill:var(--md-mermaid-edge-color)!important;stroke:var(--md-mermaid-edge-color)!important}#aggregationEnd,#aggregationStart{fill:var(--md-mermaid-label-bg-color)!important;stroke:var(--md-mermaid-edge-color)!important}g.stateGroup rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}g.stateGroup .state-title{fill:var(--md-mermaid-label-fg-color)!important;font-family:var(--md-mermaid-font-family)}g.stateGroup .composit{fill:var(--md-mermaid-label-bg-color)}.nodeLabel{color:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.node circle.state-end,.node circle.state-start,.start-state{fill:var(--md-mermaid-edge-color);stroke:none}.end-state-inner,.end-state-outer{fill:var(--md-mermaid-edge-color)}.end-state-inner,.node circle.state-end{stroke:var(--md-mermaid-label-bg-color)}.transition{stroke:var(--md-mermaid-edge-color)}[id^=state-fork] rect,[id^=state-join] rect{fill:var(--md-mermaid-edge-color)!important;stroke:none!important}.statediagram-cluster.statediagram-cluster .inner{fill:var(--md-default-bg-color)}.statediagram-cluster rect{fill:var(--md-mermaid-node-bg-color);stroke:var(--md-mermaid-node-fg-color)}.statediagram-state rect.divider{fill:var(--md-default-fg-color--lightest);stroke:var(--md-default-fg-color--lighter)}.entityBox{fill:var(--md-mermaid-label-bg-color);stroke:var(--md-mermaid-node-fg-color)}.entityLabel{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.relationshipLabelBox{fill:var(--md-mermaid-label-bg-color);fill-opacity:1;background-color:var(--md-mermaid-label-bg-color);opacity:1}.relationshipLabel{fill:var(--md-mermaid-label-fg-color)}.relationshipLine{stroke:var(--md-mermaid-edge-color)}#ONE_OR_MORE_END *,#ONE_OR_MORE_START *,#ONLY_ONE_END *,#ONLY_ONE_START *,#ZERO_OR_MORE_END *,#ZERO_OR_MORE_START *,#ZERO_OR_ONE_END *,#ZERO_OR_ONE_START *{stroke:var(--md-mermaid-edge-color)!important}#ZERO_OR_MORE_END circle,#ZERO_OR_MORE_START circle,.actor{fill:var(--md-mermaid-label-bg-color)}.actor{stroke:var(--md-mermaid-node-fg-color)}text.actor>tspan{fill:var(--md-mermaid-label-fg-color);font-family:var(--md-mermaid-font-family)}.actor-line,.messageLine0,.messageLine1{stroke:var(--md-mermaid-edge-color)}.loopText>tspan,.messageText{fill:var(--md-mermaid-edge-color);stroke:none;font-family:var(--md-mermaid-font-family)!important}#arrowhead path{fill:var(--md-mermaid-edge-color);stroke:none}.loopLine{stroke:var(--md-mermaid-node-fg-color)}.labelBox,.loopLine{fill:var(--md-mermaid-node-bg-color)}.labelBox{stroke:none}.labelText,.labelText>span{fill:var(--md-mermaid-node-fg-color);font-family:var(--md-mermaid-font-family)}

933
v0.6.5/controls/index.html
Unescape View File

@ -0,0 +1,933 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/controls/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>Understanding the yamls - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="../assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"..":".."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#test-and-config-files" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Understanding the yamls
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item">
<a href="../running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Understanding the yamls
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Understanding the yamls
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#controls" class="md-nav__link">
Controls
</a>
</li>
<li class="md-nav__item">
<a href="#groups" class="md-nav__link">
Groups
</a>
</li>
<li class="md-nav__item">
<a href="#check" class="md-nav__link">
Check
</a>
</li>
<li class="md-nav__item">
<a href="#omitting-checks" class="md-nav__link">
Omitting checks
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-and-variables" class="md-nav__link">
Configuration and Variables
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#controls" class="md-nav__link">
Controls
</a>
</li>
<li class="md-nav__item">
<a href="#groups" class="md-nav__link">
Groups
</a>
</li>
<li class="md-nav__item">
<a href="#check" class="md-nav__link">
Check
</a>
</li>
<li class="md-nav__item">
<a href="#omitting-checks" class="md-nav__link">
Omitting checks
</a>
</li>
<li class="md-nav__item">
<a href="#configuration-and-variables" class="md-nav__link">
Configuration and Variables
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="test-and-config-files">Test and config files</h1>
<p><code>kube-bench</code> runs checks specified in <code>controls</code> files that are a YAML
representation of the CIS Kubernetes Benchmark checks (or other distribution-specific hardening guides). </p>
<h2 id="controls">Controls</h2>
<p><code>controls</code> is a YAML document that contains checks that must be run against a
specific Kubernetes node type, master or node and version.</p>
<p><code>controls</code> is the fundamental input to <code>kube-bench</code>. The following is an example
of a basic <code>controls</code>:</p>
<div class="highlight"><pre><span></span><code>---
controls:
id: 1
text: &quot;Master Node Security Configuration&quot;
type: &quot;master&quot;
groups:
- id: 1.1
text: API Server
checks:
- id: 1.1.1
text: &quot;Ensure that the --allow-privileged argument is set (Scored)&quot;
audit: &quot;ps -ef | grep kube-apiserver | grep -v grep&quot;
tests:
bin_op: or
test_items:
- flag: &quot;--allow-privileged&quot;
set: true
- flag: &quot;--some-other-flag&quot;
set: false
remediation: &quot;Edit the /etc/kubernetes/config file on the master node and
set the KUBE_ALLOW_PRIV parameter to &#39;--allow-privileged=false&#39;&quot;
scored: true
- id: 1.2
text: Scheduler
checks:
- id: 1.2.1
text: &quot;Ensure that the --profiling argument is set to false (Scored)&quot;
audit: &quot;ps -ef | grep kube-scheduler | grep -v grep&quot;
tests:
bin_op: and
test_items:
- flag: &quot;--profiling&quot;
set: true
- flag: &quot;--some-other-flag&quot;
set: false
remediation: &quot;Edit the /etc/kubernetes/config file on the master node and
set the KUBE_ALLOW_PRIV parameter to &#39;--allow-privileged=false&#39;&quot;
scored: true
</code></pre></div>
<p><code>controls</code> is composed of a hierarchy of groups, sub-groups and checks. Each of
the <code>controls</code> components have an id and a text description which are displayed
in the <code>kube-bench</code> output.</p>
<p><code>type</code> specifies what kubernetes node type a <code>controls</code> is for. Possible values
for <code>type</code> are <code>master</code> and <code>node</code>.</p>
<h2 id="groups">Groups</h2>
<p><code>groups</code> is a list of subgroups that test the various Kubernetes components
that run on the node type specified in the <code>controls</code>. </p>
<p>For example, one subgroup checks parameters passed to the API server binary, while
another subgroup checks parameters passed to the controller-manager binary.</p>
<div class="highlight"><pre><span></span><code>groups:
- id: 1.1
text: API Server
# ...
- id: 1.2
text: Scheduler
# ...
</code></pre></div>
<p>These subgroups have <code>id</code>, <code>text</code> fields which serve the same purposes described
in the previous paragraphs. The most important part of the subgroup is the
<code>checks</code> field which is the collection of actual <code>check</code>s that form the subgroup.</p>
<p>This is an example of a subgroup and checks in the subgroup.</p>
<div class="highlight"><pre><span></span><code>id: 1.1
text: API Server
checks:
- id: 1.1.1
text: &quot;Ensure that the --allow-privileged argument is set (Scored)&quot;
audit: &quot;ps -ef | grep kube-apiserver | grep -v grep&quot;
tests:
# ...
- id: 1.1.2
text: &quot;Ensure that the --anonymous-auth argument is set to false (Not Scored)&quot;
audit: &quot;ps -ef | grep kube-apiserver | grep -v grep&quot;
tests:
# ...
</code></pre></div>
<p><code>kube-bench</code> supports running a subgroup by specifying the subgroup <code>id</code> on the
command line, with the flag <code>--group</code> or <code>-g</code>.</p>
<h2 id="check">Check</h2>
<p>The CIS Kubernetes Benchmark recommends configurations to harden Kubernetes components. These recommendations are usually configuration options and can be
specified by flags to Kubernetes binaries, or in configuration files.</p>
<p>The Benchmark also provides commands to audit a Kubernetes installation, identify
places where the cluster security can be improved, and steps to remediate these
identified problems.</p>
<p>In <code>kube-bench</code>, <code>check</code> objects embody these recommendations. This an example
<code>check</code> object:</p>
<div class="highlight"><pre><span></span><code>id: 1.1.1
text: &quot;Ensure that the --anonymous-auth argument is set to false (Not Scored)&quot;
audit: &quot;ps -ef | grep kube-apiserver | grep -v grep&quot;
tests:
test_items:
- flag: &quot;--anonymous-auth&quot;
compare:
op: eq
value: false
set: true
remediation: |
Edit the API server pod specification file kube-apiserver
on the master node and set the below parameter.
--anonymous-auth=false
scored: false
</code></pre></div>
<p>A <code>check</code> object has an <code>id</code>, a <code>text</code>, an <code>audit</code>, a <code>tests</code>, <code>remediation</code>
and <code>scored</code> fields.</p>
<p><code>kube-bench</code> supports running individual checks by specifying the check's <code>id</code>
as a comma-delimited list on the command line with the <code>--check</code> flag.</p>
<p>The <code>audit</code> field specifies the command to run for a check. The output of this
command is then evaluated for conformance with the CIS Kubernetes Benchmark
recommendation.</p>
<p>The audit is evaluated against criteria specified by the <code>tests</code>
object. <code>tests</code> contain <code>bin_op</code> and <code>test_items</code>.</p>
<p><code>test_items</code> specify the criteria(s) the <code>audit</code> command's output should meet to
pass a check. This criteria is made up of keywords extracted from the output of
the <code>audit</code> command and operations that compare these keywords against
values expected by the CIS Kubernetes Benchmark. </p>
<p>There are three ways to run and extract keywords from the output of the command used,
| Command | Output var |
|---|---|
| <code>audit</code> | <code>flag</code> |
| <code>audit_config</code> | <code>path</code> |
| <code>audit_env</code> | <code>env</code> |</p>
<p><code>flag</code> is used when the keyword is a command-line flag. The associated <code>audit</code> command could
be any binaries available on the system like <code>ps</code> command and a <code>grep</code> for the binary whose flag we are
checking:</p>
<div class="highlight"><pre><span></span><code>ps -ef <span class="p">|</span> grep somebinary <span class="p">|</span> grep -v grep
</code></pre></div>
<p>Here is an example usage of the <code>flag</code> option:</p>
<div class="highlight"><pre><span></span><code># ...
audit: &quot;ps -ef | grep kube-apiserver | grep -v grep&quot;
tests:
test_items:
- flag: &quot;--anonymous-auth&quot;
# ...
</code></pre></div>
<p><code>path</code> is used when the keyword is an option set in a JSON or YAML config file.
The associated <code>audit_command</code> command is usually <code>cat /path/to/config-yaml-or-json</code>.
For example:</p>
<div class="highlight"><pre><span></span><code># ...
text: &quot;Ensure that the --anonymous-auth argument is set to false (Not Scored)&quot;
audit: &quot;cat /path/to/some/config&quot;
tests:
test_items:
- path: &quot;{.someoption.value}&quot;
# ...
</code></pre></div>
<p><code>env</code> is used to check if the value is present within a specified environment variable. The presence of <code>env</code> is treated as an OR operation, if both <code>flag</code> and <code>env</code> are supplied it will use either to attempt pass the check.
The command used for checking the environment variables of a process <strong>is generated by default</strong>.</p>
<p>If the command being generated is causing errors, you can override the command used by setting <code>audit_env</code> on the check.
Similarly, if you don't want the environment checking command to be generated or run at all, specify <code>disableEnvTesting</code> as true on the check.</p>
<p>The example below will check if the flag <code>--auto-tls</code> is equal to false <em>OR</em> <code>ETCD_AUTO_TLS</code> is equal to false</p>
<p><div class="highlight"><pre><span></span><code> test_items:
- flag: &quot;--auto-tls&quot;
env: &quot;ETCD_AUTO_TLS&quot;
compare:
op: eq
value: false
</code></pre></div>
<strong>Note:</strong> flag, path and env will act as OR if more then one present. </p>
<p><code>test_item</code> compares the output of the audit command and keywords using the
<code>set</code> and <code>compare</code> fields.</p>
<div class="highlight"><pre><span></span><code> test_items:
- flag: &quot;--anonymous-auth&quot;
compare:
op: eq
value: false
set: true
</code></pre></div>
<p><code>set</code> checks if a keyword is present in the output of the audit command or a config file. The possible values for <code>set</code> are true and false.</p>
<p>If <code>set</code> is true, the check passes only if the keyword is present in the output
of the audit command, or config file. If <code>set</code> is false, the check passes only
if the keyword is not present in the output of the audit command, or config file.
<code>set</code> is true by default.</p>
<p><code>compare</code> has two fields <code>op</code> and <code>value</code> to compare keywords with expected
value. <code>op</code> specifies which operation is used for the comparison, and <code>value</code>
specifies the value to compare against.</p>
<blockquote>
<p>To use <code>compare</code>, <code>set</code> must true. The comparison will be ignored if <code>set</code> is
false</p>
</blockquote>
<p>The <code>op</code> (operations) currently supported in <code>kube-bench</code> are:
- <code>eq</code>: tests if the keyword is equal to the compared value.
- <code>noteq</code>: tests if the keyword is unequal to the compared value.
- <code>gt</code>: tests if the keyword is greater than the compared value.
- <code>gte</code>: tests if the keyword is greater than or equal to the compared value.
- <code>lt</code>: tests if the keyword is less than the compared value.
- <code>lte</code>: tests if the keyword is less than or equal to the compared value.
- <code>has</code>: tests if the keyword contains the compared value.
- <code>nothave</code>: tests if the keyword does not contain the compared value.
- <code>regex</code>: tests if the flag value matches the compared value regular expression.
When defining regular expressions in YAML it is generally easier to wrap them in
single quotes, for example <code>'^[abc]$'</code>, to avoid issues with string escaping.
- <code>bitmask</code> : tests if keyward is bitmasked with the compared value, common usege is for
comparing file permissions in linux.</p>
<h2 id="omitting-checks">Omitting checks</h2>
<p>If you decide that a recommendation is not appropriate for your environment, you can choose to omit it by editing the test YAML file to give it the check type <code>skip</code> as in this example:</p>
<div class="highlight"><pre><span></span><code> <span class="nt">checks</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">id</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">2.1.1</span>
<span class="nt">text</span><span class="p">:</span> <span class="s">&quot;Ensure</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">--allow-privileged</span><span class="nv"> </span><span class="s">argument</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">set</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">false</span><span class="nv"> </span><span class="s">(Scored)&quot;</span>
<span class="nt">type</span><span class="p">:</span> <span class="s">&quot;skip&quot;</span>
<span class="nt">scored</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
</code></pre></div>
<p>No tests will be run for this check and the output will be marked [INFO].</p>
<h2 id="configuration-and-variables">Configuration and Variables</h2>
<p>Kubernetes component configuration and binary file locations and names
vary based on cluster deployment methods and Kubernetes distribution used.
For this reason, the locations of these binaries and config files are configurable
by editing the <code>cfg/config.yaml</code> file and these binaries and files can be
referenced in a <code>controls</code> file via variables.</p>
<p>The <code>cfg/config.yaml</code> file is a global configuration file. Configuration files
can be created for specific Kubernetes versions (distributions). Values in the
version-specific config overwrite similar values in <code>cfg/config.yaml</code>.</p>
<p>For example, the kube-apiserver in Red Hat OCP distribution is run as
<code>hypershift openshift-kube-apiserver</code> instead of the default <code>kube-apiserver</code>.
This difference can be specified by editing the <code>master.apiserver.defaultbin</code>
entry <code>cfg/rh-0.7/config.yaml</code>.</p>
<p>Below is the structure of <code>cfg/config.yaml</code>:</p>
<div class="highlight"><pre><span></span><code>nodetype
|-- components
|-- component1
|-- component1
|-- bins
|-- defaultbin (optional)
|-- confs
|-- defaultconf (optional)
|-- svcs
|-- defaultsvc (optional)
|-- kubeconfig
|-- defaultkubeconfig (optional)
</code></pre></div>
<p>Every node type has a subsection that specifies the main configuration items.</p>
<ul>
<li><code>components</code>: A list of components for the node type. For example master
will have an entry for <strong>apiserver</strong>, <strong>scheduler</strong> and <strong>controllermanager</strong>.</li>
</ul>
<p>Each component has the following entries:</p>
<ul>
<li><code>bins</code>: A list of candidate binaries for a component. <code>kube-bench</code> checks this
list and selects the <strong>first</strong> binary that is running on the node.</li>
</ul>
<p>If none of the binaries in <code>bins</code> list is running, <code>kube-bench</code> checks if the
binary specified by <code>defaultbin</code> is running and terminates if none of the
binaries in both <code>bins</code> and <code>defaultbin</code> is running.</p>
<p>The selected binary for a component can be referenced in <code>controls</code> using a
variable in the form <code>$&lt;component&gt;bin</code>. In the example below, we reference
the selected API server binary with the variable <code>$apiserverbin</code> in an <code>audit</code>
command.</p>
<div class="highlight"><pre><span></span><code>id: 1.1.1
text: &quot;Ensure that the --anonymous-auth argument is set to false (Scored)&quot;
audit: &quot;ps -ef | grep $apiserverbin | grep -v grep&quot;
# ...
</code></pre></div>
<ul>
<li><code>confs</code>: A list of candidate configuration files for a component. <code>kube-bench</code>
checks this list and selects the <strong>first</strong> config file that is found on the node.
If none of the config files exists, <code>kube-bench</code> defaults conf to the value
of <code>defaultconf</code>.</li>
</ul>
<p>The selected config for a component can be referenced in <code>controls</code> using a
variable in the form <code>$&lt;component&gt;conf</code>. In the example below, we reference the
selected API server config file with the variable <code>$apiserverconf</code> in an <code>audit</code>
command.</p>
<div class="highlight"><pre><span></span><code>id: 1.4.1
text: &quot;Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)&quot;
audit: &quot;/bin/sh -c &#39;if test -e $apiserverconf; then stat -c %a $apiserverconf; fi&#39;&quot;
</code></pre></div>
<ul>
<li><code>svcs</code>: A list of candidate unitfiles for a component. <code>kube-bench</code> checks this
list and selects the <strong>first</strong> unitfile that is found on the node. If none of the
unitfiles exists, <code>kube-bench</code> defaults unitfile to the value of <code>defaultsvc</code>.</li>
</ul>
<p>The selected unitfile for a component can be referenced in <code>controls</code> via a
variable in the form <code>$&lt;component&gt;svc</code>. In the example below, the selected
kubelet unitfile is referenced with <code>$kubeletsvc</code> in the <code>remediation</code> of the
<code>check</code>.</p>
<div class="highlight"><pre><span></span><code>id: 2.1.1
# ...
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
# ...
</code></pre></div>
<ul>
<li>
<p><code>kubeconfig</code>: A list of candidate kubeconfig files for a component. <code>kube-bench</code>
checks this list and selects the <strong>first</strong> file that is found on the node. If none
of the files exists, <code>kube-bench</code> defaults kubeconfig to the value of
<code>defaultkubeconfig</code>.</p>
<p>The selected kubeconfig for a component can be referenced in <code>controls</code> with a variable in the form <code>$&lt;component&gt;kubeconfig</code>. In the example below, the
selected kubelet kubeconfig is referenced with <code>$kubeletkubeconfig</code> in the
<code>audit</code> command.</p>
<div class="highlight"><pre><span></span><code>id: 2.2.1
text: &quot;Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)&quot;
audit: &quot;/bin/sh -c &#39;if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi&#39;&quot;
# ...
</code></pre></div>
</li>
</ul>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../flags-and-commands/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Flags" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Flags
</div>
</div>
</a>
<a href="../architecture/" class="md-footer__link md-footer__link--next" aria-label="Next: Architecture" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Architecture
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

915
v0.6.5/flags-and-commands/index.html
Unescape View File

@ -0,0 +1,915 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/flags-and-commands/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>Flags - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="../assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"..":".."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#commands" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Flags
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item">
<a href="../running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Flags
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Flags
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#commands" class="md-nav__link">
Commands
</a>
</li>
<li class="md-nav__item">
<a href="#flags" class="md-nav__link">
Flags
</a>
<nav class="md-nav" aria-label="Flags">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#examples" class="md-nav__link">
Examples
</a>
<nav class="md-nav" aria-label="Examples">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#report-kube-bench-findings-to-aws-security-hub" class="md-nav__link">
Report kube-bench findings to AWS Security Hub
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-the-benchmark-or-kubernetes-version" class="md-nav__link">
Specifying the benchmark or Kubernetes version
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-benchmark-sections" class="md-nav__link">
Specifying Benchmark sections
</a>
</li>
<li class="md-nav__item">
<a href="#run-specific-check-or-group" class="md-nav__link">
Run specific check or group
</a>
</li>
<li class="md-nav__item">
<a href="#skip-specific-check-or-group" class="md-nav__link">
Skip specific check or group
</a>
</li>
<li class="md-nav__item">
<a href="#exit-code" class="md-nav__link">
Exit code
</a>
</li>
<li class="md-nav__item">
<a href="#output-manipulation-flags" class="md-nav__link">
Output manipulation flags
</a>
</li>
<li class="md-nav__item">
<a href="#troubleshooting" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#commands" class="md-nav__link">
Commands
</a>
</li>
<li class="md-nav__item">
<a href="#flags" class="md-nav__link">
Flags
</a>
<nav class="md-nav" aria-label="Flags">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#examples" class="md-nav__link">
Examples
</a>
<nav class="md-nav" aria-label="Examples">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#report-kube-bench-findings-to-aws-security-hub" class="md-nav__link">
Report kube-bench findings to AWS Security Hub
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-the-benchmark-or-kubernetes-version" class="md-nav__link">
Specifying the benchmark or Kubernetes version
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-benchmark-sections" class="md-nav__link">
Specifying Benchmark sections
</a>
</li>
<li class="md-nav__item">
<a href="#run-specific-check-or-group" class="md-nav__link">
Run specific check or group
</a>
</li>
<li class="md-nav__item">
<a href="#skip-specific-check-or-group" class="md-nav__link">
Skip specific check or group
</a>
</li>
<li class="md-nav__item">
<a href="#exit-code" class="md-nav__link">
Exit code
</a>
</li>
<li class="md-nav__item">
<a href="#output-manipulation-flags" class="md-nav__link">
Output manipulation flags
</a>
</li>
<li class="md-nav__item">
<a href="#troubleshooting" class="md-nav__link">
Troubleshooting
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>Flags</h1>
<h2 id="commands">Commands</h2>
<table>
<thead>
<tr>
<th>Command</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>help</td>
<td>Prints help about any command</td>
</tr>
<tr>
<td>run</td>
<td>List of components to run</td>
</tr>
<tr>
<td>version</td>
<td>Print kube-bench version</td>
</tr>
</tbody>
</table>
<h2 id="flags">Flags</h2>
<table>
<thead>
<tr>
<th>Flag</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>--alsologtostderr</td>
<td>log to standard error as well as files</td>
</tr>
<tr>
<td>--asff</td>
<td>Send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page][kube-bench-aws-security-hub] for more information on how to enable the kube-bench integration with AWS Security Hub.</td>
</tr>
<tr>
<td>--benchmark</td>
<td>Manually specify CIS benchmark version</td>
</tr>
<tr>
<td>-c, --check</td>
<td>A comma-delimited list of checks to run as specified in Benchmark document.</td>
</tr>
<tr>
<td>--config</td>
<td>config file (default is ./cfg/config.yaml)</td>
</tr>
<tr>
<td>--exit-code</td>
<td>Specify the exit code for when checks fail</td>
</tr>
<tr>
<td>--group</td>
<td>Run all the checks under this comma-delimited list of groups.</td>
</tr>
<tr>
<td>--include-test-output</td>
<td>Prints the actual result when test fails.</td>
</tr>
<tr>
<td>--json</td>
<td>Prints the results as JSON</td>
</tr>
<tr>
<td>--junit</td>
<td>Prints the results as JUnit</td>
</tr>
<tr>
<td>--log_backtrace_at traceLocation</td>
<td>when logging hits line file:N, emit a stack trace (default :0)</td>
</tr>
<tr>
<td>--logtostderr</td>
<td>log to standard error instead of files</td>
</tr>
<tr>
<td>--noremediations</td>
<td>Disable printing of remediations section to stdout.</td>
</tr>
<tr>
<td>--noresults</td>
<td>Disable printing of results section to stdout.</td>
</tr>
<tr>
<td>--nototals</td>
<td>Disable calculating and printing of totals for failed, passed, ... checks across all sections</td>
</tr>
<tr>
<td>--outputfile</td>
<td>Writes the JSON results to output file</td>
</tr>
<tr>
<td>--pgsql</td>
<td>Save the results to PostgreSQL</td>
</tr>
<tr>
<td>--scored</td>
<td>Run the scored CIS checks (default true)</td>
</tr>
<tr>
<td>--skip string</td>
<td>List of comma separated values of checks to be skipped</td>
</tr>
<tr>
<td>--stderrthreshold severity</td>
<td>logs at or above this threshold go to stderr (default 2)</td>
</tr>
<tr>
<td>-v, --v Level</td>
<td>log level for V logs (default 0)</td>
</tr>
<tr>
<td>--version string</td>
<td>Manually specify Kubernetes version, automatically detected if unset</td>
</tr>
<tr>
<td>--vmodule moduleSpec</td>
<td>comma-separated list of pattern=N settings for file-filtered logging</td>
</tr>
</tbody>
</table>
<h3 id="examples">Examples</h3>
<h4 id="report-kube-bench-findings-to-aws-security-hub">Report kube-bench findings to AWS Security Hub</h4>
<p>You can configure kube-bench with the <code>--asff</code> option to send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See <a href="../asff/">this page</a> for more information on how to enable the kube-bench integration with AWS Security Hub.</p>
<h4 id="specifying-the-benchmark-or-kubernetes-version">Specifying the benchmark or Kubernetes version</h4>
<p><code>kube-bench</code> uses the Kubernetes API, or access to the <code>kubectl</code> or <code>kubelet</code> executables to try to determine the Kubernetes version, and hence which benchmark to run. If you wish to override this, or if none of these methods are available, you can specify either the Kubernetes version or CIS Benchmark as a command line parameter. </p>
<p>You can specify a particular version of Kubernetes by setting the <code>--version</code> flag or with the <code>KUBE_BENCH_VERSION</code> environment variable. The value of <code>--version</code> takes precedence over the value of <code>KUBE_BENCH_VERSION</code>.</p>
<p>For example, run kube-bench using the tests for Kubernetes version 1.13:</p>
<div class="highlight"><pre><span></span><code>kube-bench --version 1.13
</code></pre></div>
<p>You can specify <code>--benchmark</code> to run a specific CIS Benchmark version:</p>
<div class="highlight"><pre><span></span><code>kube-bench --benchmark cis-1.5
</code></pre></div>
<p><strong>Note:</strong> It is an error to specify both <code>--version</code> and <code>--benchmark</code> flags together</p>
<h4 id="specifying-benchmark-sections">Specifying Benchmark sections</h4>
<p>If you want to run specific CIS Benchmark sections (i.e master, node, etcd, etc...)
you can use the <code>run --targets</code> subcommand.</p>
<div class="highlight"><pre><span></span><code>kube-bench run --targets master,node
</code></pre></div>
<p>or</p>
<div class="highlight"><pre><span></span><code>kube-bench run --targets master,node,etcd,policies
</code></pre></div>
<p>If no targets are specified, <code>kube-bench</code> will determine the appropriate targets based on the CIS Benchmark version and the components detected on the node. The detection is done by verifying which components are running, as defined in the config files (see <a href="../controls/#configuration-and-variables">Configuration</a>.</p>
<h4 id="run-specific-check-or-group">Run specific check or group</h4>
<p><code>kube-bench</code> supports running individual checks by specifying the check's <code>id</code>
as a comma-delimited list on the command line with the <code>--check</code> | <code>-c</code> flag.
<code>kube-bench --check="1.1.1,1.1.2,1.2.1,1.3.3"</code></p>
<p><code>kube-bench</code> supports running all checks under group by specifying the group's <code>id</code>
as a comma-delimited list on the command line with the <code>--group</code> | <code>-g</code> flag.
<code>kube-bench --check="1.1,2.2"</code>
Will run all checks 1.1.X and 2.2.X. </p>
<h4 id="skip-specific-check-or-group">Skip specific check or group</h4>
<p><code>kube-bench</code> supports skipping checks or groups by specifying the <code>id</code>
as a comma-delimited list on the command line with the <code>--skip</code> flag.
<code>kube-bench --skip="1.1,1.2.1,1.3.3"</code>
Will skip 1.1.X group and individual checks 1.2.1, 1.3.3.
Skipped checks returns [INFO] output. </p>
<h4 id="exit-code">Exit code</h4>
<p><code>kube-bench</code> supports using uniqe exit code when failing a check or more.
<code>kube-bench --exit-code 42</code>
Will return 42 if one check or more failed, and 0 incase none failed.
<strong>Note:</strong> [WARN] is not [FAIL].</p>
<h4 id="output-manipulation-flags">Output manipulation flags</h4>
<p>There are four output states:
- [PASS] indicates that the test was run successfully, and passed.
- [FAIL] indicates that the test was run successfully, and failed. The remediation output describes how to correct the configuration, or includes an error message describing why the test could not be run.
- [WARN] means this test needs further attention, for example it is a test that needs to be run manually. Check the remediation output for further information.
- [INFO] is informational output that needs no further action.</p>
<p>Note:
- If the test is Manual, this always generates WARN (because the user has to run it manually)
- If the test is Scored, and kube-bench was unable to run the test, this generates FAIL (because the test has not been passed, and as a Scored test, if it doesn't pass then it must be considered a failure).
- If the test is Not Scored, and kube-bench was unable to run the test, this generates WARN.
- If the test is Scored, type is empty, and there are no <code>test_items</code> present, it generates a WARN. This is to highlight tests that appear to be incompletely defined.</p>
<p><code>kube-bench</code> supports multiple output manipulation flags.
<code>kube-bench --include-test-output</code> will print failing checks output in the results section
<div class="highlight"><pre><span></span><code>[INFO] 1 Master Node Security Configuration
[INFO] 1.1 Master Node Configuration Files
[FAIL] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
**permissions=777**
</code></pre></div></p>
<p><strong>Note:</strong> <code>--noresults</code> <code>--noremediations</code> and <code>--include-test-output</code> <strong>will not</strong> effect the json output but only stdout.
Only <code>--nototals</code> will effect the json output and thats because it will not call the function to calculate totals. </p>
<h4 id="troubleshooting">Troubleshooting</h4>
<p>Running <code>kube-bench</code> with the <code>-v 3</code> parameter will generate debug logs that can be very helpful for debugging problems.</p>
<p>If you are using one of the example <code>job*.yaml</code> files, you will need to edit the <code>command</code> field, for example <code>["kube-bench", "-v", "3"]</code>. Once the job has run, the logs can be retrieved using <code>kubectl logs</code> on the job's pod.</p>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../asff/" class="md-footer__link md-footer__link--prev" aria-label="Previous: ASFF" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
ASFF
</div>
</div>
</a>
<a href="../controls/" class="md-footer__link md-footer__link--next" aria-label="Next: Understanding the yamls" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Understanding the yamls
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

BIN
v0.6.5/images/asff-example-finding.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
v0.6.5/images/kube-bench-logo-only.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
v0.6.5/images/kube-bench-security-hub.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 124 KiB

BIN
v0.6.5/images/kube-bench.jpg
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
v0.6.5/images/kube-bench.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

86
v0.6.5/images/kube-bench.svg
Unescape View File

@ -0,0 +1,86 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!-- Generator: Adobe Illustrator 25.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="_x30_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="500px" height="135px" viewBox="0 0 500 135" enable-background="new 0 0 500 135" xml:space="preserve">
<polygon fill="#1904DA" points="71.153,8.189 31.4,62.284 71.153,112.569 110.419,62.923 "/>
<path fill="#FF445F" d="M46.731,131.015c0.001,0,0.002,0,0.003,0l48.846-0.011c0.002,0,0.004,0,0.005,0
c1.14,0,2.273-0.246,3.319-0.694l-27.752-17.741l-27.598,17.813C44.561,130.792,45.643,131.015,46.731,131.015z"/>
<path fill="#FFC900" d="M110.419,62.923l-39.266,49.646l27.752,17.741c1.262-0.541,2.397-1.376,3.256-2.442l27.959-34.782
l2.489-3.097c0.513-0.638,0.923-1.354,1.224-2.112c0.143-0.359,0.261-0.728,0.353-1.103L110.419,62.923z"/>
<path fill="#FFC900" d="M8.078,86.64c0.217,0.956,0.599,1.875,1.137,2.697c0.149,0.229,0.309,0.45,0.478,0.664l30.461,37.873
c0.892,1.108,2.08,1.969,3.402,2.508l27.598-17.813L31.4,62.284L8.078,86.64z"/>
<path fill="#00FFE4" d="M20.78,32.099c-0.897,1.028-1.543,2.271-1.856,3.634L8.072,82.937c-0.242,1.052-0.266,2.15-0.089,3.214
c0.027,0.164,0.058,0.327,0.095,0.488L31.4,62.284L20.78,32.099z"/>
<path fill="#00FFE4" d="M134.188,86.774c0.311-1.258,0.34-2.585,0.049-3.848l-10.873-47.232c-0.295-1.279-0.884-2.452-1.7-3.438
l-11.244,30.667L134.188,86.774z"/>
<g>
<path fill="#08B1D5" d="M56.624,27.961L71.153,8.189c-0.004,0-0.008,0-0.013,0c-0.017,0-0.035,0.001-0.052,0.001
C70.964,8.191,70.84,8.194,70.715,8.2c-0.014,0.001-0.028,0.003-0.043,0.004c-1.1,0.06-2.188,0.337-3.182,0.812L23.483,30.043
c-1.046,0.5-1.96,1.204-2.703,2.056L31.4,62.284L56.624,27.95V27.961z"/>
<path fill="#08B1D5" d="M118.832,30.042L74.797,9.016c-1.132-0.542-2.387-0.825-3.643-0.827l39.266,54.733l11.244-30.667
C120.901,31.333,119.94,30.571,118.832,30.042z"/>
</g>
<g>
<path fill="#07242D" d="M179,108.611h-8.361l-16.315-16.496c-0.664,0.083-1.34,0.126-2.027,0.126v16.37h-5.959V62.369h5.959
c0,0-0.011,23.984,0,23.984c2.902,0,5.558-1.198,7.443-3.125l7.132-7.286h8.545l-11.596,11.514
c-1.027,1.028-2.192,1.921-3.462,2.646L179,108.611z"/>
<path fill="#07242D" d="M211.871,75.856v16.505c0,0,0,0.024,0,0.035c0,8.961-7.261,16.215-16.223,16.215
c-8.961,0-16.217-7.276-16.217-16.237c0-0.012,0-16.518,0-16.518h5.778v16.505c0,5.762,4.677,10.457,10.439,10.457
c5.762,0,10.433-4.695,10.433-10.457V75.856H211.871z"/>
<path fill="#07242D" d="M250.26,92.238c0,9.042-7.33,16.373-16.373,16.373c-3.967,0-7.605-1.411-10.438-3.758v3.758h-5.944
c0.004-0.373,0.004-46.242,0.004-46.242h5.944l-0.003,17.254c2.834-2.348,6.471-3.758,10.439-3.758
C242.93,75.864,250.261,83.195,250.26,92.238z M244.333,92.238c0-5.769-4.677-10.445-10.446-10.445
c-5.637,0-10.447,4.578-10.447,10.429c0,5.851,4.81,10.462,10.447,10.462C239.656,102.683,244.333,98.007,244.333,92.238z"/>
<path fill="#07242D" d="M286.212,94.367h-26.414c0.994,4.714,5.176,8.271,10.181,8.271c3.265,0,6.176-1.516,8.081-3.878h6.927
c-2.529,5.792-8.3,9.851-15.007,9.851c-9.033,0-16.379-7.358-16.379-16.402s7.345-16.353,16.379-16.353
C279.783,75.779,287.568,84.659,286.212,94.367z M279.65,88.392c-1.521-3.845-5.277-6.553-9.672-6.553s-8.155,2.71-9.679,6.553
H279.65z"/>
<path fill="#07242D" d="M307.437,86.979v5.459h-16.855v-5.459H307.437z"/>
<path fill="#07242D" d="M345.923,92.238c0,9.042-7.33,16.373-16.373,16.373c-3.967,0-7.605-1.411-10.438-3.758v3.758h-5.944
c0.004-0.373,0.004-46.242,0.004-46.242h5.944l-0.003,17.254c2.834-2.348,6.471-3.758,10.438-3.758
C338.593,75.864,345.924,83.195,345.923,92.238z M339.996,92.238c0-5.769-4.677-10.445-10.446-10.445
c-5.637,0-10.447,4.578-10.447,10.429c0,5.851,4.81,10.462,10.447,10.462C335.318,102.683,339.996,98.007,339.996,92.238z"/>
<path fill="#07242D" d="M381.874,94.367H355.46c0.994,4.714,5.176,8.271,10.181,8.271c3.265,0,6.176-1.516,8.081-3.878h6.927
c-2.529,5.792-8.3,9.851-15.007,9.851c-9.033,0-16.379-7.358-16.379-16.402s7.345-16.353,16.379-16.353
C375.445,75.779,383.23,84.659,381.874,94.367z M375.312,88.392c-1.521-3.845-5.277-6.553-9.672-6.553s-8.155,2.71-9.679,6.553
H375.312z"/>
<path fill="#07242D" d="M419.609,92.201c0,11.479,0,16.41,0,16.41h-5.976c0,0,0-10.761,0-16.41c0-5.855-4.767-10.363-10.389-10.363
c-5.622,0-10.41,4.458-10.41,10.363c0,5.652,0,16.41,0,16.41h-5.975V75.856c0,0,2.56,0,5.975,0v3.69c0,0,3.921-3.69,10.41-3.69
C410.942,75.856,419.609,81.839,419.609,92.201z"/>
<path fill="#07242D" d="M447.468,99.621l4.194,4.194c-2.964,2.964-7.058,4.797-11.581,4.797c-4.522,0-8.616-1.833-11.581-4.797
c-2.964-2.964-4.797-7.058-4.797-11.581s1.833-8.616,4.797-11.581c2.964-2.964,7.058-4.797,11.581-4.797
c4.522,0,8.616,1.833,11.581,4.797l-4.194,4.194c-1.89-1.891-4.502-3.061-7.386-3.061s-5.497,1.17-7.386,3.061
c-1.891,1.89-3.06,4.502-3.06,7.386c0,2.885,1.169,5.497,3.06,7.387c1.89,1.89,4.502,3.059,7.386,3.059
S445.577,101.511,447.468,99.621z"/>
<path fill="#07242D" d="M488.639,92.244c0,11.448,0,16.366,0,16.366h-5.96c0,0,0-10.733,0-16.366
c0-5.838-4.756-10.334-10.361-10.334c-5.607,0-10.382,4.446-10.382,10.334c0,5.637,0,16.366,0,16.366h-5.958v-46.24h5.958v17.255
c0,0,3.909-3.679,10.382-3.679C479.996,75.945,488.639,81.912,488.639,92.244z"/>
</g>
<g>
<path fill="#07242D" d="M180.326,58.699h3.129V39.263c0.01-0.171,0-0.344,0-0.517c0-4.751-3.841-8.602-8.592-8.602
c-4.751,0-8.602,3.851-8.602,8.602s3.851,8.602,8.602,8.602h0.435l3.164-3.15h-3.36h-0.239c-3.011,0-5.451-2.441-5.451-5.451
s2.441-5.451,5.451-5.451c3.011,0,5.463,2.441,5.463,5.451V58.699z"/>
<g>
<path fill="#07242D" d="M200.111,30.144v8.709c0,3.041-2.465,5.518-5.505,5.518c-3.041,0-5.508-2.477-5.508-5.518v-8.709h-3.049
v8.709c0,0,0,0,0,0.007c0,4.729,3.828,8.568,8.557,8.568c4.729,0,8.561-3.827,8.561-8.556c0-0.006,0-0.019,0-0.019v-8.709H200.111
z"/>
</g>
<g>
<path fill="#07242D" d="M163.154,35.833c-3.405-8.994-16.602-6.81-16.802,2.939c0.005,2.094,0.724,3.972,1.979,5.502
c1.472,1.787,3.646,2.973,6.101,3.134c0.189,0.012,0.379,0.019,0.57,0.019h8.665c0,0,0-8.656,0-8.655
C163.666,37.773,163.493,36.772,163.154,35.833z M160.464,44.267c0,0-3.937,0-5.455,0c-3.028,0-5.482-2.468-5.482-5.496
c0-1.517,0.617-2.877,1.613-3.87l0.001,0.001c3.386-3.431,9.345-1.024,9.324,3.869C160.464,40.289,160.464,44.267,160.464,44.267z
"/>
</g>
<g>
<path fill="#07242D" d="M222.563,35.833c-3.405-8.994-16.602-6.81-16.802,2.939c0.005,2.094,0.724,3.972,1.979,5.502
c1.472,1.787,3.646,2.973,6.101,3.134c0.189,0.012,0.379,0.019,0.57,0.019h8.665c0,0,0-8.656,0-8.655
C223.075,37.773,222.902,36.772,222.563,35.833z M219.873,44.267c0,0-3.938,0-5.455,0c-3.028,0-5.482-2.468-5.482-5.496
c0-1.517,0.617-2.877,1.613-3.87l0.001,0.001c3.386-3.431,9.345-1.024,9.324,3.869C219.873,40.289,219.873,44.267,219.873,44.267z
"/>
</g>
</g>
<path fill="#FFFFFF" d="M87.645,83.488h-8.361L62.969,66.992c-0.664,0.083-1.34,0.126-2.027,0.126v16.37h-5.959V37.246h5.959
c0,0-0.011,23.984,0,23.984c2.902,0,5.558-1.198,7.443-3.125l7.132-7.286h8.545L72.467,62.333c-1.027,1.028-2.192,1.921-3.462,2.646
L87.645,83.488z"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 7.0 KiB

BIN
v0.6.5/images/output.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 136 KiB

529
v0.6.5/index.html
Unescape View File

@ -0,0 +1,529 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/">
<link rel="icon" href="assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>Kube-bench</title>
<link rel="stylesheet" href="assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?".":"."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#kube-bench" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Overview
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<a href="." class="md-nav__link md-nav__link--active">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item">
<a href="running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item">
<a href="asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item">
<a href="architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<p><img alt="Kube-bench Logo" src="images/kube-bench.jpg" />
<a href="https://github.com/aquasecurity/kube-bench/releases"><img alt="GitHub Release" src="https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github" /></a>
<img alt="Downloads" src="https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github" />
<img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&amp;label=docker%20pulls%20%2F%20kube-bench" />
[<img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/aquasecurity/kube-bench" />]<a href="https://goreportcard.com/report/github.com/aquasecurity/kube-bench">report-card</a>
<a href="https://github.com/aquasecurity/kube-bench/actions"><img alt="Build Status" src="https://github.com/aquasecurity/kube-bench/workflows/Build/badge.svg?branch=main" /></a>
<a href="https://github.com/aquasecurity/kube-bench/blob/main/LICENSE"><img alt="License" src="https://img.shields.io/badge/License-Apache%202.0-blue.svg" /></a>
<a href="https://microbadger.com/images/aquasec/kube-bench" title="Get your own image badge on microbadger.com"><img alt="Docker image" src="https://images.microbadger.com/badges/image/aquasec/kube-bench.svg" /></a>
<a href="https://microbadger.com/images/aquasec/kube-bench"><img alt="Source commit" src="https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg" /></a>
<a href="https://codecov.io/github/aquasecurity/kube-bench"><img alt="Coverage Status" src="https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg" /></a></p>
<h1 id="kube-bench">Kube-bench</h1>
<p>kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the <a href="https://www.cisecurity.org/benchmark/kubernetes/">CIS Kubernetes Benchmark</a>.</p>
<p>Tests are configured with YAML files, making this tool easy to update as test specifications evolve.</p>
<ol>
<li>
<p>kube-bench implements the <a href="https://www.cisecurity.org/benchmark/kubernetes/">CIS Kubernetes Benchmark</a> as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the <a href="https://cisecurity.org">CIS community</a>.</p>
</li>
<li>
<p>There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See <a href="#cis-kubernetes-benchmark-support">CIS Kubernetes Benchmark support</a> to see which releases of Kubernetes are covered by different releases of the benchmark.</p>
</li>
<li>
<p>It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.</p>
</li>
</ol>
<p>For help and more information go to our <a href="https://github.com/aquasecurity/kube-bench/discussions/categories/q-a">github discussions q&amp;a</a></p>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="installation/" class="md-footer__link md-footer__link--next" aria-label="Next: Installation" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Installation
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": ".", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

678
v0.6.5/installation/index.html
Unescape View File

@ -0,0 +1,678 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/installation/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>Installation - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="../assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"..":".."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#installation" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Installation
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Installation
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Installation
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#installation" class="md-nav__link">
Installation
</a>
<nav class="md-nav" aria-label="Installation">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#download-and-install-binaries" class="md-nav__link">
Download and Install binaries
</a>
</li>
<li class="md-nav__item">
<a href="#installing-from-sources" class="md-nav__link">
Installing from sources
</a>
</li>
<li class="md-nav__item">
<a href="#installing-from-a-container" class="md-nav__link">
Installing from a container
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item">
<a href="../running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#installation" class="md-nav__link">
Installation
</a>
<nav class="md-nav" aria-label="Installation">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#download-and-install-binaries" class="md-nav__link">
Download and Install binaries
</a>
</li>
<li class="md-nav__item">
<a href="#installing-from-sources" class="md-nav__link">
Installing from sources
</a>
</li>
<li class="md-nav__item">
<a href="#installing-from-a-container" class="md-nav__link">
Installing from a container
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>Installation</h1>
<h2 id="installation">Installation</h2>
<p>You can choose to
* Run kube-bench from inside a container (sharing PID namespace with the host). See <a href="../running/#running-inside-a-container">Running inside a container</a> for additional details.
* Run a container that installs kube-bench on the host, and then run kube-bench directly on the host. See <a href="#installing-from-a-container">Installing from a container</a> for additional details.
* install the latest binaries from the <a href="https://github.com/aquasecurity/kube-bench/releases">Releases page</a>, though please note that you also need to download the config and test files from the <code>cfg</code> directory. See <a href="#download-and-install-binaries">Download and Install binaries</a> for details.
* Compile it from source. See <a href="#installing-from-sources">Installing from sources</a> for details.</p>
<h3 id="download-and-install-binaries">Download and Install binaries</h3>
<p>It is possible to manually install and run kube-bench release binaries. In order to do that, you must have access to your Kubernetes cluster nodes. Note that if you're using one of the managed Kubernetes services (e.g. EKS, AKS, GKE, ACK, OCP), you will not have access to the master nodes of your cluster and you cant perform any tests on the master nodes.</p>
<p>First, log into one of the nodes using SSH.</p>
<p>Install kube-bench binary for your platform using the commands below. Note that there may be newer releases available. See <a href="https://github.com/aquasecurity/kube-bench/releases">releases page</a>.</p>
<p>Ubuntu/Debian:</p>
<div class="highlight"><pre><span></span><code>curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb -o kube-bench_0.6.2_linux_amd64.deb
sudo apt install ./kube-bench_0.6.2_linux_amd64.deb -f
</code></pre></div>
<p>RHEL:</p>
<div class="highlight"><pre><span></span><code>curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.rpm -o kube-bench_0.6.2_linux_amd64.rpm
sudo yum install kube-bench_0.6.2_linux_amd64.rpm -y
</code></pre></div>
<p>Alternatively, you can manually download and extract the kube-bench binary:</p>
<div class="highlight"><pre><span></span><code>curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.tar.gz -o kube-bench_0.6.2_linux_amd64.tar.gz
tar -xvf kube-bench_0.6.2_linux_amd64.tar.gz
</code></pre></div>
<p>You can then run kube-bench directly:
<div class="highlight"><pre><span></span><code>kube-bench
</code></pre></div></p>
<p>If you manually downloaded the kube-bench binary (using curl command above), you have to specify the location of configuration directory and file. For example:
<div class="highlight"><pre><span></span><code>./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml
</code></pre></div></p>
<p>See previous section on <a href="../running/#running-kube-bench">Running kube-bench</a> for further details on using the kube-bench binary.</p>
<h3 id="installing-from-sources">Installing from sources</h3>
<p>If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your <a href="https://github.com/golang/go/wiki/GOPATH"><code>GOPATH</code> is set</a>) as per this example:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Create a target directory for the clone, inside the $GOPATH</span>
mkdir -p <span class="nv">$GOPATH</span>/src/github.com/aquasecurity/kube-bench
<span class="c1"># Clone this repository, using SSH</span>
git clone git@github.com:aquasecurity/kube-bench.git <span class="nv">$GOPATH</span>/src/github.com/aquasecurity/kube-bench
<span class="c1"># Install the pre-requisites</span>
go get github.com/aquasecurity/kube-bench
<span class="c1"># Change to the kube-bench directory</span>
<span class="nb">cd</span> <span class="nv">$GOPATH</span>/src/github.com/aquasecurity/kube-bench
<span class="c1"># Build the kube-bench binary</span>
go build -o kube-bench .
<span class="c1"># See all supported options</span>
./kube-bench --help
<span class="c1"># Run all checks</span>
./kube-bench
</code></pre></div>
<h3 id="installing-from-a-container">Installing from a container</h3>
<p>This command copies the kube-bench binary and configuration files to your host from the Docker container:
<strong>binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)</strong>
<div class="highlight"><pre><span></span><code>docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
</code></pre></div></p>
<p>You can then run <code>./kube-bench</code>.</p>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href=".." class="md-footer__link md-footer__link--prev" aria-label="Previous: Overview" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Overview
</div>
</div>
</a>
<a href="../platforms/" class="md-footer__link md-footer__link--next" aria-label="Next: Platforms" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
Platforms
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

633
v0.6.5/platforms/index.html
Unescape View File

@ -0,0 +1,633 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/platforms/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>Platforms - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="../assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"..":".."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#cis-kubernetes-benchmark-support" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Platforms
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Platforms
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Platforms
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#cis-kubernetes-benchmark-support" class="md-nav__link">
CIS Kubernetes Benchmark support
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../running/" class="md-nav__link">
How to run
</a>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#cis-kubernetes-benchmark-support" class="md-nav__link">
CIS Kubernetes Benchmark support
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>Platforms</h1>
<h2 id="cis-kubernetes-benchmark-support">CIS Kubernetes Benchmark support</h2>
<p>kube-bench supports running tests for Kubernetes.
Most of our supported benchmarks are defined in the <a href="https://www.cisecurity.org/benchmark/kubernetes/">CIS Kubernetes Benchmarks</a>.
Some defined by other hardenening guides.</p>
<table>
<thead>
<tr>
<th>Source</th>
<th>Kubernetes Benchmark</th>
<th>kube-bench config</th>
<th>Kubernetes versions</th>
</tr>
</thead>
<tbody>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/4892">1.5.1</a></td>
<td>cis-1.5</td>
<td>1.15</td>
</tr>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/4834">1.6.0</a></td>
<td>cis-1.6</td>
<td>1.16-1.18</td>
</tr>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/6246">1.20</a></td>
<td>cis-1.20</td>
<td>1.19-1.20</td>
</tr>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/4536">GKE 1.0.0</a></td>
<td>gke-1.0</td>
<td>GKE</td>
</tr>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/6041">EKS 1.0.1</a></td>
<td>eks-1.0.1</td>
<td>EKS</td>
</tr>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/6467">ACK 1.0.0</a></td>
<td>ack-1.0</td>
<td>ACK</td>
</tr>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/6347">AKS 1.0.0</a></td>
<td>aks-1.0</td>
<td>AKS</td>
</tr>
<tr>
<td>RHEL</td>
<td>RedHat OpenShift hardening guide</td>
<td>rh-0.7</td>
<td>OCP 3.10-3.11</td>
</tr>
<tr>
<td>CIS</td>
<td><a href="https://workbench.cisecurity.org/benchmarks/6778">OCP4 1.1.0</a></td>
<td>rh-1.0</td>
<td>OCP 4.1-</td>
</tr>
</tbody>
</table>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../installation/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Installation" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Installation
</div>
</div>
</a>
<a href="../running/" class="md-footer__link md-footer__link--next" aria-label="Next: How to run" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
How to run
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

816
v0.6.5/running/index.html
Unescape View File

@ -0,0 +1,816 @@
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.5/running/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.2.3, mkdocs-material-8.0.2+insiders-4.1.0">
<title>How to run - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.adb7b03c.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.fe799546.min.css">
<link rel="preload" as="style" href="../assets/stylesheets/vendor/mermaid.733f213f.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>function __md_scope(e,t,_){return new URL(_||(t===localStorage?"..":".."),location).pathname+"."+e}function __md_get(e,t=localStorage,_){return JSON.parse(t.getItem(__md_scope(e,t,_)))}function __md_set(e,t,_=localStorage,o){try{_.setItem(__md_scope(e,_,o),JSON.stringify(t))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#running-kube-bench" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-component="outdated" hidden>
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
How to run
</span>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2">
Getting Started
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Getting Started" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
Platforms
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
How to run
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
How to run
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#running-kube-bench" class="md-nav__link">
Running kube-bench
</a>
<nav class="md-nav" aria-label="Running kube-bench">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#running-inside-a-container" class="md-nav__link">
Running inside a container
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-kubernetes-cluster" class="md-nav__link">
Running in a Kubernetes cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-an-aks-cluster" class="md-nav__link">
Running in an AKS cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-an-eks-cluster" class="md-nav__link">
Running in an EKS cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-on-openshift" class="md-nav__link">
Running on OpenShift
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-gke-cluster" class="md-nav__link">
Running in a GKE cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-ack-cluster" class="md-nav__link">
Running in a ACK cluster
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
ASFF
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../flags-and-commands/" class="md-nav__link">
Flags
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Configuration Options
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Configuration Options" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
Understanding the yamls
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
Architecture
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
Contributing
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#running-kube-bench" class="md-nav__link">
Running kube-bench
</a>
<nav class="md-nav" aria-label="Running kube-bench">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#running-inside-a-container" class="md-nav__link">
Running inside a container
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-kubernetes-cluster" class="md-nav__link">
Running in a Kubernetes cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-an-aks-cluster" class="md-nav__link">
Running in an AKS cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-an-eks-cluster" class="md-nav__link">
Running in an EKS cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-on-openshift" class="md-nav__link">
Running on OpenShift
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-gke-cluster" class="md-nav__link">
Running in a GKE cluster
</a>
</li>
<li class="md-nav__item">
<a href="#running-in-a-ack-cluster" class="md-nav__link">
Running in a ACK cluster
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>How to run</h1>
<h2 id="running-kube-bench">Running kube-bench</h2>
<p>If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config files.</p>
<p>By default kube-bench attempts to auto-detect the running version of Kubernetes, and map this to the corresponding CIS Benchmark version. For example, Kubernetes version 1.15 is mapped to CIS Benchmark version <code>cis-1.15</code> which is the benchmark version valid for Kubernetes 1.15.</p>
<p>kube-bench also attempts to identify the components running on the node, and uses this to determine which tests to run (for example, only running the master node tests if the node is running an API server). </p>
<p><strong>Please note</strong>
It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.</p>
<h3 id="running-inside-a-container">Running inside a container</h3>
<p>You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the <code>/etc</code> and <code>/var</code> directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions.</p>
<div class="highlight"><pre><span></span><code>docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18
</code></pre></div>
<blockquote>
<p>Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass <code>-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl</code> to resolve this. You will also need to pass in kubeconfig credentials. For example:</p>
</blockquote>
<div class="highlight"><pre><span></span><code>docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest
</code></pre></div>
<p>You can use your own configs by mounting them over the default ones in <code>/opt/kube-bench/cfg/</code></p>
<div class="highlight"><pre><span></span><code>docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest
</code></pre></div>
<h3 id="running-in-a-kubernetes-cluster">Running in a Kubernetes cluster</h3>
<p>You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.</p>
<p>The supplied <code>job.yaml</code> file can be applied to run the tests as a job. For example:</p>
<div class="highlight"><pre><span></span><code>$ kubectl apply -f job.yaml
job.batch/kube-bench created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 <span class="m">0</span>/1 ContainerCreating <span class="m">0</span> 3s
<span class="c1"># Wait for a few seconds for the job to complete</span>
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
kube-bench-j76s9 <span class="m">0</span>/1 Completed <span class="m">0</span> 11s
<span class="c1"># The results are held in the pod&#39;s logs</span>
kubectl logs kube-bench-j76s9
<span class="o">[</span>INFO<span class="o">]</span> <span class="m">1</span> Master Node Security Configuration
<span class="o">[</span>INFO<span class="o">]</span> <span class="m">1</span>.1 API Server
...
</code></pre></div>
<p>To run tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec.</p>
<p>The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node.</p>
<h3 id="running-in-an-aks-cluster">Running in an AKS cluster</h3>
<ol>
<li>
<p>Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures</p>
</li>
<li>
<p>Use the <a href="https://github.com/kvaps/kubectl-enter">kubectl-enter plugin</a> to shell into a node
<code>kubectl-enter {node-name}</code>
or ssh to one agent node
could open nsg 22 port and assign a public ip for one agent node (only for testing purpose)</p>
</li>
<li>
<p>Run CIS benchmark to view results:
<div class="highlight"><pre><span></span><code>docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
./kube-bench
</code></pre></div>
kube-bench cannot be run on AKS master nodes</p>
</li>
</ol>
<h3 id="running-in-an-eks-cluster">Running in an EKS cluster</h3>
<p>There is a <code>job-eks.yaml</code> file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed</p>
<ol>
<li>To create an EKS Cluster refer to <a href="https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html">Getting Started with Amazon EKS</a> in the <em>Amazon EKS User Guide</em></li>
<li>Information on configuring <code>eksctl</code>, <code>kubectl</code> and the AWS CLI is within</li>
<li>Create an <a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html">Amazon Elastic Container Registry (ECR)</a> repository to host the kube-bench container image
<div class="highlight"><pre><span></span><code>aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
</code></pre></div></li>
<li>Download, build and push the kube-bench container image to your ECR repo
<div class="highlight"><pre><span></span><code>git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region &lt;AWS_REGION&gt; | docker login --username AWS --password-stdin &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com
docker build -t k8s/kube-bench .
docker tag k8s/kube-bench:latest &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest
docker push &lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest
</code></pre></div></li>
<li>Copy the URI of your pushed image, the URI format is like this: <code>&lt;AWS_ACCT_NUMBER&gt;.dkr.ecr.&lt;AWS_REGION&gt;.amazonaws.com/k8s/kube-bench:latest</code></li>
<li>Replace the <code>image</code> value in <code>job-eks.yaml</code> with the URI from Step 4</li>
<li>Run the kube-bench job on a Pod in your Cluster: <code>kubectl apply -f job-eks.yaml</code></li>
<li>Find the Pod that was created, it <em>should</em> be in the <code>default</code> namespace: <code>kubectl get pods --all-namespaces</code></li>
<li>Retrieve the value of this Pod and output the report, note the Pod name will vary: <code>kubectl logs kube-bench-&lt;value&gt;</code></li>
<li>You can save the report for later reference: <code>kubectl logs kube-bench-&lt;value&gt; &gt; kube-bench-report.txt</code></li>
</ol>
<h3 id="running-on-openshift">Running on OpenShift</h3>
<table>
<thead>
<tr>
<th>OpenShift Hardening Guide</th>
<th>kube-bench config</th>
</tr>
</thead>
<tbody>
<tr>
<td>ocp-3.10 +</td>
<td>rh-0.7</td>
</tr>
<tr>
<td>ocp-4.1 +</td>
<td>rh-1.0</td>
</tr>
</tbody>
</table>
<p>kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify <code>--benchmark rh-07</code>, or <code>--version ocp-3.10</code> or,<code>--version ocp-4.5</code> or <code>--benchmark rh-1.0</code> </p>
<p><code>kube-bench</code> supports auto-detection, when you run the <code>kube-bench</code> command it will autodetect if running in openshift environment.</p>
<h3 id="running-in-a-gke-cluster">Running in a GKE cluster</h3>
<table>
<thead>
<tr>
<th>CIS Benchmark</th>
<th>Targets</th>
</tr>
</thead>
<tbody>
<tr>
<td>gke-1.0</td>
<td>master, controlplane, node, etcd, policies, managedservices</td>
</tr>
</tbody>
</table>
<p>kube-bench includes benchmarks for GKE. To run this you will need to specify <code>--benchmark gke-1.0</code> when you run the <code>kube-bench</code> command.</p>
<p>To run the benchmark as a job in your GKE cluster apply the included <code>job-gke.yaml</code>.</p>
<div class="highlight"><pre><span></span><code>kubectl apply -f job-gke.yaml
</code></pre></div>
<h3 id="running-in-a-ack-cluster">Running in a ACK cluster</h3>
<table>
<thead>
<tr>
<th>CIS Benchmark</th>
<th>Targets</th>
</tr>
</thead>
<tbody>
<tr>
<td>ack-1.0</td>
<td>master, controlplane, node, etcd, policies, managedservices</td>
</tr>
</tbody>
</table>
<p>kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK).
To run this you will need to specify <code>--benchmark ack-1.0</code> when you run the <code>kube-bench</code> command.</p>
<p>To run the benchmark as a job in your ACK cluster apply the included <code>job-ack.yaml</code>.</p>
<div class="highlight"><pre><span></span><code>kubectl apply -f job-ack.yaml
</code></pre></div>
</article>
</div>
</div>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer">
<a href="../platforms/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Platforms" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Platforms
</div>
</div>
</a>
<a href="../asff/" class="md-footer__link md-footer__link--next" aria-label="Next: ASFF" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
ASFF
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.81d897cb.min.js", "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.adafc647.min.js"></script>
</body>
</html>

1
v0.6.5/search/search_index.json
View File

File diff suppressed because one or more lines are too long

43
v0.6.5/sitemap.xml
Unescape View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/architecture/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/asff/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/controls/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/flags-and-commands/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/installation/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/platforms/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>https://aquasecurity.github.io/kube-bench/v0.6.5/running/</loc>
<lastmod>2021-12-01</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>

BIN
v0.6.5/sitemap.xml.gz
View File

Binary file not shown.

2
versions.json
Unescape View File

@ -1 +1 @@
[{"version": "v0.6.3", "title": "v0.6.3", "aliases": ["latest"]}, {"version": "dev", "title": "dev", "aliases": []}]
[{"version": "v0.6.5", "title": "v0.6.5", "aliases": ["latest"]}, {"version": "v0.6.3", "title": "v0.6.3", "aliases": []}, {"version": "dev", "title": "dev", "aliases": []}]
Write Preview
Loading…
Cancel
Save