mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-22 14:48:07 +00:00
fix: fully qualified image names (#1206)
This commit is contained in:
parent
f90e3a41cd
commit
ebdfba55cc
@ -84,7 +84,7 @@ go build -o kube-bench .
|
|||||||
This command copies the kube-bench binary and configuration files to your host from the Docker container:
|
This command copies the kube-bench binary and configuration files to your host from the Docker container:
|
||||||
**binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)**
|
**binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)**
|
||||||
```
|
```
|
||||||
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
|
docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
|
||||||
```
|
```
|
||||||
|
|
||||||
You can then run `./kube-bench`.
|
You can then run `./kube-bench`.
|
||||||
|
@ -15,19 +15,19 @@ It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS,
|
|||||||
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions.
|
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions.
|
||||||
|
|
||||||
```
|
```
|
||||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18
|
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t docker.io/aquasec/kube-bench:latest --version 1.18
|
||||||
```
|
```
|
||||||
|
|
||||||
> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
|
> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
|
||||||
|
|
||||||
```
|
```
|
||||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest
|
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest
|
||||||
```
|
```
|
||||||
|
|
||||||
You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
|
You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
|
||||||
|
|
||||||
```
|
```
|
||||||
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest
|
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config docker.io/aquasec/kube-bench:latest
|
||||||
```
|
```
|
||||||
|
|
||||||
### Running in a Kubernetes cluster
|
### Running in a Kubernetes cluster
|
||||||
@ -72,7 +72,7 @@ could open nsg 22 port and assign a public ip for one agent node (only for testi
|
|||||||
|
|
||||||
1. Run CIS benchmark to view results:
|
1. Run CIS benchmark to view results:
|
||||||
```
|
```
|
||||||
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
|
docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
|
||||||
./kube-bench
|
./kube-bench
|
||||||
```
|
```
|
||||||
kube-bench cannot be run on AKS master nodes
|
kube-bench cannot be run on AKS master nodes
|
||||||
@ -107,9 +107,9 @@ docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:
|
|||||||
### Running on OpenShift
|
### Running on OpenShift
|
||||||
|
|
||||||
| OpenShift Hardening Guide | kube-bench config |
|
| OpenShift Hardening Guide | kube-bench config |
|
||||||
|---|---|
|
| ------------------------- | ----------------- |
|
||||||
| ocp-3.10 +| rh-0.7 |
|
| ocp-3.10 + | rh-0.7 |
|
||||||
| ocp-4.1 +| rh-1.0 |
|
| ocp-4.1 + | rh-1.0 |
|
||||||
|
|
||||||
kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0`
|
kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0`
|
||||||
|
|
||||||
@ -118,9 +118,9 @@ kube-bench includes a set of test files for Red Hat's OpenShift hardening guide
|
|||||||
### Running in a GKE cluster
|
### Running in a GKE cluster
|
||||||
|
|
||||||
| CIS Benchmark | Targets |
|
| CIS Benchmark | Targets |
|
||||||
|---|---|
|
| ------------- | ----------------------------------------------------------- |
|
||||||
| gke-1.0| master, controlplane, node, etcd, policies, managedservices |
|
| gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
|
||||||
| gke-1.2.0| master, controlplane, node, policies, managedservices |
|
| gke-1.2.0 | master, controlplane, node, policies, managedservices |
|
||||||
|
|
||||||
kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` or `--benchmark gke-1.2.0` when you run the `kube-bench` command.
|
kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` or `--benchmark gke-1.2.0` when you run the `kube-bench` command.
|
||||||
|
|
||||||
@ -133,8 +133,8 @@ kubectl apply -f job-gke.yaml
|
|||||||
### Running in a ACK cluster
|
### Running in a ACK cluster
|
||||||
|
|
||||||
| CIS Benchmark | Targets |
|
| CIS Benchmark | Targets |
|
||||||
|---|---|
|
| ------------- | ----------------------------------------------------------- |
|
||||||
| ack-1.0| master, controlplane, node, etcd, policies, managedservices |
|
| ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
|
||||||
|
|
||||||
kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK).
|
kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK).
|
||||||
To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command.
|
To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command.
|
||||||
|
@ -12,7 +12,7 @@ spec:
|
|||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:${VERSION}
|
image: docker.io/aquasec/kube-bench:${VERSION}
|
||||||
command: ["kube-bench"]
|
command: ["kube-bench"]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
|
12
job-ack.yaml
12
job-ack.yaml
@ -9,8 +9,16 @@ spec:
|
|||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "ack-1.0"]
|
command:
|
||||||
|
[
|
||||||
|
"kube-bench",
|
||||||
|
"run",
|
||||||
|
"--targets",
|
||||||
|
"node,policies,managedservices",
|
||||||
|
"--benchmark",
|
||||||
|
"ack-1.0",
|
||||||
|
]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
@ -9,8 +9,9 @@ spec:
|
|||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"]
|
command:
|
||||||
|
["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
@ -32,8 +32,17 @@ spec:
|
|||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
# Push the image to your ECR and then refer to it here
|
# Push the image to your ECR and then refer to it here
|
||||||
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"]
|
command:
|
||||||
|
[
|
||||||
|
"kube-bench",
|
||||||
|
"run",
|
||||||
|
"--targets",
|
||||||
|
"node",
|
||||||
|
"--benchmark",
|
||||||
|
"eks-1.0.1",
|
||||||
|
"--asff",
|
||||||
|
]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
12
job-eks.yaml
12
job-eks.yaml
@ -11,9 +11,17 @@ spec:
|
|||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
# Push the image to your ECR and then refer to it here
|
# Push the image to your ECR and then refer to it here
|
||||||
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
|
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
|
||||||
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"]
|
command:
|
||||||
|
[
|
||||||
|
"kube-bench",
|
||||||
|
"run",
|
||||||
|
"--targets",
|
||||||
|
"node",
|
||||||
|
"--benchmark",
|
||||||
|
"eks-1.0.1",
|
||||||
|
]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
12
job-gke.yaml
12
job-gke.yaml
@ -9,8 +9,16 @@ spec:
|
|||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "gke-1.2.0"]
|
command:
|
||||||
|
[
|
||||||
|
"kube-bench",
|
||||||
|
"run",
|
||||||
|
"--targets",
|
||||||
|
"node,policies,managedservices",
|
||||||
|
"--benchmark",
|
||||||
|
"gke-1.2.0",
|
||||||
|
]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
@ -9,8 +9,9 @@ spec:
|
|||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
command: ["kube-bench", "run", "--targets", "node", "--version", "1.20"]
|
command:
|
||||||
|
["kube-bench", "run", "--targets", "node", "--version", "1.20"]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
@ -15,7 +15,7 @@ spec:
|
|||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
command: ["kube-bench", "run", "--targets", "master"]
|
command: ["kube-bench", "run", "--targets", "master"]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
|
@ -9,7 +9,7 @@ spec:
|
|||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:latest
|
image: docker.io/aquasec/kube-bench:latest
|
||||||
command: ["kube-bench", "run", "--targets", "node"]
|
command: ["kube-bench", "run", "--targets", "node"]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
|
2
job.yaml
2
job.yaml
@ -12,7 +12,7 @@ spec:
|
|||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
- name: kube-bench
|
- name: kube-bench
|
||||||
image: aquasec/kube-bench:v0.6.8
|
image: docker.io/aquasec/kube-bench:v0.6.8
|
||||||
command: ["kube-bench"]
|
command: ["kube-bench"]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
|
Loading…
Reference in New Issue
Block a user