1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 06:38:06 +00:00

fix: fully qualified image names (#1206)

This commit is contained in:
rhtenhove 2022-06-17 11:01:32 -04:00 committed by GitHub
parent f90e3a41cd
commit ebdfba55cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 66 additions and 31 deletions

View File

@ -84,7 +84,7 @@ go build -o kube-bench .
This command copies the kube-bench binary and configuration files to your host from the Docker container: This command copies the kube-bench binary and configuration files to your host from the Docker container:
**binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)** **binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)**
``` ```
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
``` ```
You can then run `./kube-bench`. You can then run `./kube-bench`.

View File

@ -15,19 +15,19 @@ It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS,
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions. You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions.
``` ```
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18 docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t docker.io/aquasec/kube-bench:latest --version 1.18
``` ```
> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example: > Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
``` ```
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest
``` ```
You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
``` ```
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config docker.io/aquasec/kube-bench:latest
``` ```
### Running in a Kubernetes cluster ### Running in a Kubernetes cluster
@ -72,7 +72,7 @@ could open nsg 22 port and assign a public ip for one agent node (only for testi
1. Run CIS benchmark to view results: 1. Run CIS benchmark to view results:
``` ```
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
./kube-bench ./kube-bench
``` ```
kube-bench cannot be run on AKS master nodes kube-bench cannot be run on AKS master nodes
@ -107,9 +107,9 @@ docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:
### Running on OpenShift ### Running on OpenShift
| OpenShift Hardening Guide | kube-bench config | | OpenShift Hardening Guide | kube-bench config |
|---|---| | ------------------------- | ----------------- |
| ocp-3.10 +| rh-0.7 | | ocp-3.10 + | rh-0.7 |
| ocp-4.1 +| rh-1.0 | | ocp-4.1 + | rh-1.0 |
kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0` kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0`
@ -117,10 +117,10 @@ kube-bench includes a set of test files for Red Hat's OpenShift hardening guide
### Running in a GKE cluster ### Running in a GKE cluster
| CIS Benchmark | Targets | | CIS Benchmark | Targets |
|---|---| | ------------- | ----------------------------------------------------------- |
| gke-1.0| master, controlplane, node, etcd, policies, managedservices | | gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0| master, controlplane, node, policies, managedservices | | gke-1.2.0 | master, controlplane, node, policies, managedservices |
kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` or `--benchmark gke-1.2.0` when you run the `kube-bench` command. kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` or `--benchmark gke-1.2.0` when you run the `kube-bench` command.
@ -132,9 +132,9 @@ kubectl apply -f job-gke.yaml
### Running in a ACK cluster ### Running in a ACK cluster
| CIS Benchmark | Targets | | CIS Benchmark | Targets |
|---|---| | ------------- | ----------------------------------------------------------- |
| ack-1.0| master, controlplane, node, etcd, policies, managedservices | | ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK). kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK).
To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command. To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command.

View File

@ -12,7 +12,7 @@ spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:${VERSION} image: docker.io/aquasec/kube-bench:${VERSION}
command: ["kube-bench"] command: ["kube-bench"]
volumeMounts: volumeMounts:
- name: var-lib-etcd - name: var-lib-etcd

View File

@ -9,8 +9,16 @@ spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "ack-1.0"] command:
[
"kube-bench",
"run",
"--targets",
"node,policies,managedservices",
"--benchmark",
"ack-1.0",
]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet

View File

@ -9,8 +9,9 @@ spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"] command:
["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet

View File

@ -32,8 +32,17 @@ spec:
- name: kube-bench - name: kube-bench
# Push the image to your ECR and then refer to it here # Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref> # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"] command:
[
"kube-bench",
"run",
"--targets",
"node",
"--benchmark",
"eks-1.0.1",
"--asff",
]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet

View File

@ -11,9 +11,17 @@ spec:
- name: kube-bench - name: kube-bench
# Push the image to your ECR and then refer to it here # Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref> # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"] command:
[
"kube-bench",
"run",
"--targets",
"node",
"--benchmark",
"eks-1.0.1",
]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet

View File

@ -9,8 +9,16 @@ spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "gke-1.2.0"] command:
[
"kube-bench",
"run",
"--targets",
"node,policies,managedservices",
"--benchmark",
"gke-1.2.0",
]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet

View File

@ -9,8 +9,9 @@ spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--version", "1.20"] command:
["kube-bench", "run", "--targets", "node", "--version", "1.20"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet

View File

@ -15,7 +15,7 @@ spec:
effect: NoSchedule effect: NoSchedule
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "master"] command: ["kube-bench", "run", "--targets", "master"]
volumeMounts: volumeMounts:
- name: var-lib-etcd - name: var-lib-etcd

View File

@ -9,7 +9,7 @@ spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:latest image: docker.io/aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node"] command: ["kube-bench", "run", "--targets", "node"]
volumeMounts: volumeMounts:
- name: var-lib-etcd - name: var-lib-etcd

View File

@ -12,7 +12,7 @@ spec:
hostPID: true hostPID: true
containers: containers:
- name: kube-bench - name: kube-bench
image: aquasec/kube-bench:v0.6.8 image: docker.io/aquasec/kube-bench:v0.6.8
command: ["kube-bench"] command: ["kube-bench"]
volumeMounts: volumeMounts:
- name: var-lib-etcd - name: var-lib-etcd