diff --git a/docs/installation.md b/docs/installation.md index 6d42c0c..373a7c5 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -84,7 +84,7 @@ go build -o kube-bench . This command copies the kube-bench binary and configuration files to your host from the Docker container: **binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)** ``` -docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install +docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install ``` You can then run `./kube-bench`. diff --git a/docs/running.md b/docs/running.md index 0c7889f..04af7bb 100644 --- a/docs/running.md +++ b/docs/running.md @@ -15,19 +15,19 @@ It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions. ``` -docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18 +docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t docker.io/aquasec/kube-bench:latest --version 1.18 ``` > Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example: ``` -docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest +docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest ``` You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` ``` -docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest +docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config docker.io/aquasec/kube-bench:latest ``` ### Running in a Kubernetes cluster @@ -72,7 +72,7 @@ could open nsg 22 port and assign a public ip for one agent node (only for testi 1. Run CIS benchmark to view results: ``` -docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install +docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install ./kube-bench ``` kube-bench cannot be run on AKS master nodes @@ -107,9 +107,9 @@ docker push .dkr.ecr..amazonaws.com/k8s/kube-bench: ### Running on OpenShift | OpenShift Hardening Guide | kube-bench config | -|---|---| -| ocp-3.10 +| rh-0.7 | -| ocp-4.1 +| rh-1.0 | +| ------------------------- | ----------------- | +| ocp-3.10 + | rh-0.7 | +| ocp-4.1 + | rh-1.0 | kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0` @@ -117,10 +117,10 @@ kube-bench includes a set of test files for Red Hat's OpenShift hardening guide ### Running in a GKE cluster -| CIS Benchmark | Targets | -|---|---| -| gke-1.0| master, controlplane, node, etcd, policies, managedservices | -| gke-1.2.0| master, controlplane, node, policies, managedservices | +| CIS Benchmark | Targets | +| ------------- | ----------------------------------------------------------- | +| gke-1.0 | master, controlplane, node, etcd, policies, managedservices | +| gke-1.2.0 | master, controlplane, node, policies, managedservices | kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` or `--benchmark gke-1.2.0` when you run the `kube-bench` command. @@ -132,9 +132,9 @@ kubectl apply -f job-gke.yaml ### Running in a ACK cluster -| CIS Benchmark | Targets | -|---|---| -| ack-1.0| master, controlplane, node, etcd, policies, managedservices | +| CIS Benchmark | Targets | +| ------------- | ----------------------------------------------------------- | +| ack-1.0 | master, controlplane, node, etcd, policies, managedservices | kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK). To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command. diff --git a/hack/kind.yaml b/hack/kind.yaml index 0cf3888..7f088f1 100644 --- a/hack/kind.yaml +++ b/hack/kind.yaml @@ -12,7 +12,7 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:${VERSION} + image: docker.io/aquasec/kube-bench:${VERSION} command: ["kube-bench"] volumeMounts: - name: var-lib-etcd diff --git a/job-ack.yaml b/job-ack.yaml index ecc1819..f34f6dd 100644 --- a/job-ack.yaml +++ b/job-ack.yaml @@ -9,8 +9,16 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:latest - command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "ack-1.0"] + image: docker.io/aquasec/kube-bench:latest + command: + [ + "kube-bench", + "run", + "--targets", + "node,policies,managedservices", + "--benchmark", + "ack-1.0", + ] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet diff --git a/job-aks.yaml b/job-aks.yaml index 329c86b..652a4a5 100644 --- a/job-aks.yaml +++ b/job-aks.yaml @@ -9,8 +9,9 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:latest - command: ["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"] + image: docker.io/aquasec/kube-bench:latest + command: + ["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet diff --git a/job-eks-asff.yaml b/job-eks-asff.yaml index 426c548..814cd1b 100644 --- a/job-eks-asff.yaml +++ b/job-eks-asff.yaml @@ -32,8 +32,17 @@ spec: - name: kube-bench # Push the image to your ECR and then refer to it here # image: - image: aquasec/kube-bench:latest - command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"] + image: docker.io/aquasec/kube-bench:latest + command: + [ + "kube-bench", + "run", + "--targets", + "node", + "--benchmark", + "eks-1.0.1", + "--asff", + ] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet diff --git a/job-eks.yaml b/job-eks.yaml index ed269e0..5a946fa 100644 --- a/job-eks.yaml +++ b/job-eks.yaml @@ -11,9 +11,17 @@ spec: - name: kube-bench # Push the image to your ECR and then refer to it here # image: - image: aquasec/kube-bench:latest + image: docker.io/aquasec/kube-bench:latest # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead - command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"] + command: + [ + "kube-bench", + "run", + "--targets", + "node", + "--benchmark", + "eks-1.0.1", + ] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet diff --git a/job-gke.yaml b/job-gke.yaml index 2e6d1e9..c87b184 100644 --- a/job-gke.yaml +++ b/job-gke.yaml @@ -9,8 +9,16 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:latest - command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "gke-1.2.0"] + image: docker.io/aquasec/kube-bench:latest + command: + [ + "kube-bench", + "run", + "--targets", + "node,policies,managedservices", + "--benchmark", + "gke-1.2.0", + ] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet diff --git a/job-iks.yaml b/job-iks.yaml index a67ad40..f8092d0 100644 --- a/job-iks.yaml +++ b/job-iks.yaml @@ -9,8 +9,9 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:latest - command: ["kube-bench", "run", "--targets", "node", "--version", "1.20"] + image: docker.io/aquasec/kube-bench:latest + command: + ["kube-bench", "run", "--targets", "node", "--version", "1.20"] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet diff --git a/job-master.yaml b/job-master.yaml index e3be12b..ee30cb8 100644 --- a/job-master.yaml +++ b/job-master.yaml @@ -15,7 +15,7 @@ spec: effect: NoSchedule containers: - name: kube-bench - image: aquasec/kube-bench:latest + image: docker.io/aquasec/kube-bench:latest command: ["kube-bench", "run", "--targets", "master"] volumeMounts: - name: var-lib-etcd diff --git a/job-node.yaml b/job-node.yaml index b452317..0e6f9a9 100644 --- a/job-node.yaml +++ b/job-node.yaml @@ -9,7 +9,7 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:latest + image: docker.io/aquasec/kube-bench:latest command: ["kube-bench", "run", "--targets", "node"] volumeMounts: - name: var-lib-etcd diff --git a/job.yaml b/job.yaml index 201420e..96dcaf4 100644 --- a/job.yaml +++ b/job.yaml @@ -12,7 +12,7 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:v0.6.8 + image: docker.io/aquasec/kube-bench:v0.6.8 command: ["kube-bench"] volumeMounts: - name: var-lib-etcd