From ba03d8f64ba41143af21d312a4e1a13a9a460a8a Mon Sep 17 00:00:00 2001
From: Martin Mosegaard Amdisen <martin@chainalysis.com>
Date: Thu, 27 Dec 2018 13:10:00 +0100
Subject: [PATCH] Document limitation of running with kubectl

Once the master node recommended check:

1.1.12 Ensure that the admission control plugin DenyEscalatingExec is set

has been followed, it is no longer possible to run kube-bench itself using kubectl.
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 6309426..5157334 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,8 @@ Run the master check
 kubectl run --rm -i -t kube-bench-master --image=aquasec/kube-bench:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true, \"nodeSelector\": { \"node-role.kubernetes.io/master\": \"\" }, \"tolerations\": [ { \"key\": \"node-role.kubernetes.io/master\", \"operator\": \"Exists\", \"effect\": \"NoSchedule\" } ] } }" -- master --version 1.11
 ```
 
+Notice that this requires access to the host PID namespace. Thus it will not work if the recommendation to enable the admission plugin DenyEscalatingExec in the API Server has been implemented. You will see an error message about failing to attach to a container using host PID.
+
 Run the node check
 
 ```