arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c97f042be'
${ noResults }
kube-bench/v0.6.15/flags-and-commands/index.html

1130 lines
30 KiB
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark">
<link rel="canonical" href="https://aquasecurity.github.io/kube-bench/v0.6.15/flags-and-commands/">
<link rel="prev" href="../asff/">
<link rel="next" href="../controls/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.15+insiders-4.35.3">
<title>Flags - Kube-bench</title>
<link rel="stylesheet" href="../assets/stylesheets/main.cac7c1ad.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#commands" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<div data-md-color-scheme="default" data-md-component="outdated" hidden>
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Kube-bench" class="md-header__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Kube-bench
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Flags
</span>
</div>
</div>
</div>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Kube-bench" class="md-nav__button md-logo" aria-label="Kube-bench" data-md-component="logo">
<img src="../images/kube-bench-logo-only.png" alt="logo">
</a>
Kube-bench
</label>
<div class="md-nav__source">
<a href="https://github.com/aquasecurity/kube-bench/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Overview
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Getting Started
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
<span class="md-ellipsis">
Installation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../platforms/" class="md-nav__link">
<span class="md-ellipsis">
Platforms
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../running/" class="md-nav__link">
<span class="md-ellipsis">
How to run
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../asff/" class="md-nav__link">
<span class="md-ellipsis">
ASFF
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Flags
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Flags
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#commands" class="md-nav__link">
<span class="md-ellipsis">
Commands
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#flags" class="md-nav__link">
<span class="md-ellipsis">
Flags
</span>
</a>
<nav class="md-nav" aria-label="Flags">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#examples" class="md-nav__link">
<span class="md-ellipsis">
Examples
</span>
</a>
<nav class="md-nav" aria-label="Examples">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#report-kube-bench-findings-to-aws-security-hub" class="md-nav__link">
<span class="md-ellipsis">
Report kube-bench findings to AWS Security Hub
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-the-benchmark-or-kubernetes-version" class="md-nav__link">
<span class="md-ellipsis">
Specifying the benchmark or Kubernetes version
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-benchmark-sections" class="md-nav__link">
<span class="md-ellipsis">
Specifying Benchmark sections
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#run-specific-check-or-group" class="md-nav__link">
<span class="md-ellipsis">
Run specific check or group
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#skip-specific-check-or-group" class="md-nav__link">
<span class="md-ellipsis">
Skip specific check or group
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#exit-code" class="md-nav__link">
<span class="md-ellipsis">
Exit code
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#output-manipulation-flags" class="md-nav__link">
<span class="md-ellipsis">
Output manipulation flags
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#troubleshooting" class="md-nav__link">
<span class="md-ellipsis">
Troubleshooting
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Configuration Options
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Configuration Options
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../controls/" class="md-nav__link">
<span class="md-ellipsis">
Understanding the yamls
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
<span class="md-ellipsis">
Architecture
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../CONTRIBUTING.md" class="md-nav__link">
<span class="md-ellipsis">
Contributing
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#commands" class="md-nav__link">
<span class="md-ellipsis">
Commands
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#flags" class="md-nav__link">
<span class="md-ellipsis">
Flags
</span>
</a>
<nav class="md-nav" aria-label="Flags">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#examples" class="md-nav__link">
<span class="md-ellipsis">
Examples
</span>
</a>
<nav class="md-nav" aria-label="Examples">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#report-kube-bench-findings-to-aws-security-hub" class="md-nav__link">
<span class="md-ellipsis">
Report kube-bench findings to AWS Security Hub
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-the-benchmark-or-kubernetes-version" class="md-nav__link">
<span class="md-ellipsis">
Specifying the benchmark or Kubernetes version
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#specifying-benchmark-sections" class="md-nav__link">
<span class="md-ellipsis">
Specifying Benchmark sections
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#run-specific-check-or-group" class="md-nav__link">
<span class="md-ellipsis">
Run specific check or group
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#skip-specific-check-or-group" class="md-nav__link">
<span class="md-ellipsis">
Skip specific check or group
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#exit-code" class="md-nav__link">
<span class="md-ellipsis">
Exit code
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#output-manipulation-flags" class="md-nav__link">
<span class="md-ellipsis">
Output manipulation flags
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#troubleshooting" class="md-nav__link">
<span class="md-ellipsis">
Troubleshooting
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1>Flags</h1>
<h2 id="commands">Commands</h2>
<table>
<thead>
<tr>
<th>Command</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>help</td>
<td>Prints help about any command</td>
</tr>
<tr>
<td>run</td>
<td>List of components to run</td>
</tr>
<tr>
<td>version</td>
<td>Print kube-bench version</td>
</tr>
</tbody>
</table>
<h2 id="flags">Flags</h2>
<table>
<thead>
<tr>
<th>Flag</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>--alsologtostderr</td>
<td>log to standard error as well as files</td>
</tr>
<tr>
<td>--asff</td>
<td>Send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page][kube-bench-aws-security-hub] for more information on how to enable the kube-bench integration with AWS Security Hub.</td>
</tr>
<tr>
<td>--benchmark</td>
<td>Manually specify CIS benchmark version</td>
</tr>
<tr>
<td>-c, --check</td>
<td>A comma-delimited list of checks to run as specified in Benchmark document.</td>
</tr>
<tr>
<td>--config</td>
<td>config file (default is ./cfg/config.yaml)</td>
</tr>
<tr>
<td>--exit-code</td>
<td>Specify the exit code for when checks fail</td>
</tr>
<tr>
<td>--group</td>
<td>Run all the checks under this comma-delimited list of groups.</td>
</tr>
<tr>
<td>--include-test-output</td>
<td>Prints the actual result when test fails.</td>
</tr>
<tr>
<td>--json</td>
<td>Prints the results as JSON</td>
</tr>
<tr>
<td>--junit</td>
<td>Prints the results as JUnit</td>
</tr>
<tr>
<td>--log_backtrace_at traceLocation</td>
<td>when logging hits line file:N, emit a stack trace (default :0)</td>
</tr>
<tr>
<td>--logtostderr</td>
<td>log to standard error instead of files</td>
</tr>
<tr>
<td>--noremediations</td>
<td>Disable printing of remediations section to stdout.</td>
</tr>
<tr>
<td>--noresults</td>
<td>Disable printing of results section to stdout.</td>
</tr>
<tr>
<td>--nototals</td>
<td>Disable calculating and printing of totals for failed, passed, ... checks across all sections</td>
</tr>
<tr>
<td>--outputfile</td>
<td>Writes the results to output file when run with --json or --junit</td>
</tr>
<tr>
<td>--pgsql</td>
<td>Save the results to PostgreSQL</td>
</tr>
<tr>
<td>--scored</td>
<td>Run the scored CIS checks (default true)</td>
</tr>
<tr>
<td>--skip string</td>
<td>List of comma separated values of checks to be skipped</td>
</tr>
<tr>
<td>--stderrthreshold severity</td>
<td>logs at or above this threshold go to stderr (default 2)</td>
</tr>
<tr>
<td>-v, --v Level</td>
<td>log level for V logs (default 0)</td>
</tr>
<tr>
<td>--unscored</td>
<td>Run the unscored CIS checks (default true)</td>
</tr>
<tr>
<td>--version string</td>
<td>Manually specify Kubernetes version, automatically detected if unset</td>
</tr>
<tr>
<td>--vmodule moduleSpec</td>
<td>comma-separated list of pattern=N settings for file-filtered logging</td>
</tr>
</tbody>
</table>
<h3 id="examples">Examples</h3>
<h4 id="report-kube-bench-findings-to-aws-security-hub">Report kube-bench findings to AWS Security Hub</h4>
<p>You can configure kube-bench with the <code>--asff</code> option to send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See <a href="../asff/">this page</a> for more information on how to enable the kube-bench integration with AWS Security Hub.</p>
<h4 id="specifying-the-benchmark-or-kubernetes-version">Specifying the benchmark or Kubernetes version</h4>
<p><code>kube-bench</code> uses the Kubernetes API, or access to the <code>kubectl</code> or <code>kubelet</code> executables to try to determine the Kubernetes version, and hence which benchmark to run. If you wish to override this, or if none of these methods are available, you can specify either the Kubernetes version or CIS Benchmark as a command line parameter. </p>
<p>You can specify a particular version of Kubernetes by setting the <code>--version</code> flag or with the <code>KUBE_BENCH_VERSION</code> environment variable. The value of <code>--version</code> takes precedence over the value of <code>KUBE_BENCH_VERSION</code>.</p>
<p>For example, run kube-bench using the tests for Kubernetes version 1.13:</p>
<div class="highlight"><pre><span></span><code>kube-bench --version 1.13
</code></pre></div>
<p>You can specify <code>--benchmark</code> to run a specific CIS Benchmark version:</p>
<div class="highlight"><pre><span></span><code>kube-bench --benchmark cis-1.5
</code></pre></div>
<p><strong>Note:</strong> It is an error to specify both <code>--version</code> and <code>--benchmark</code> flags together</p>
<h4 id="specifying-benchmark-sections">Specifying Benchmark sections</h4>
<p>If you want to run specific CIS Benchmark sections (i.e master, node, etcd, etc...)
you can use the <code>run --targets</code> subcommand.</p>
<div class="highlight"><pre><span></span><code>kube-bench run --targets master,node
</code></pre></div>
<p>or</p>
<div class="highlight"><pre><span></span><code>kube-bench run --targets master,node,etcd,policies
</code></pre></div>
<p>If no targets are specified, <code>kube-bench</code> will determine the appropriate targets based on the CIS Benchmark version and the components detected on the node. The detection is done by verifying which components are running, as defined in the config files (see <a href="../controls/#configuration-and-variables">Configuration</a>.</p>
<h4 id="run-specific-check-or-group">Run specific check or group</h4>
<p><code>kube-bench</code> supports running individual checks by specifying the check's <code>id</code>
as a comma-delimited list on the command line with the <code>--check</code> | <code>-c</code> flag.
<code>kube-bench --check="1.1.1,1.1.2,1.2.1,1.3.3"</code></p>
<p><code>kube-bench</code> supports running all checks under group by specifying the group's <code>id</code>
as a comma-delimited list on the command line with the <code>--group</code> | <code>-g</code> flag.
<code>kube-bench --check="1.1,2.2"</code>
Will run all checks 1.1.X and 2.2.X. </p>
<h4 id="skip-specific-check-or-group">Skip specific check or group</h4>
<p><code>kube-bench</code> supports skipping checks or groups by specifying the <code>id</code>
as a comma-delimited list on the command line with the <code>--skip</code> flag.
<code>kube-bench --skip="1.1,1.2.1,1.3.3"</code>
Will skip 1.1.X group and individual checks 1.2.1, 1.3.3.
Skipped checks returns [INFO] output. </p>
<h4 id="exit-code">Exit code</h4>
<p><code>kube-bench</code> supports using uniqe exit code when failing a check or more.
<code>kube-bench --exit-code 42</code>
Will return 42 if one check or more failed, and 0 incase none failed.
<strong>Note:</strong> [WARN] is not [FAIL].</p>
<h4 id="output-manipulation-flags">Output manipulation flags</h4>
<p>There are four output states:
- [PASS] indicates that the test was run successfully, and passed.
- [FAIL] indicates that the test was run successfully, and failed. The remediation output describes how to correct the configuration, or includes an error message describing why the test could not be run.
- [WARN] means this test needs further attention, for example it is a test that needs to be run manually. Check the remediation output for further information.
- [INFO] is informational output that needs no further action.</p>
<p>Note:
- Some tests with <code>Automated</code> in their description must still be run manually
- If the user has to run a test manually, this always generates WARN
- If the test is Scored, and kube-bench was unable to run the test, this generates FAIL (because the test has not been passed, and as a Scored test, if it doesn't pass then it must be considered a failure).
- If the test is Not Scored, and kube-bench was unable to run the test, this generates WARN.
- If the test is Scored, type is empty, and there are no <code>test_items</code> present, it generates a WARN. This is to highlight tests that appear to be incompletely defined.</p>
<p><code>kube-bench</code> supports multiple output manipulation flags.
<code>kube-bench --include-test-output</code> will print failing checks output in the results section
<div class="highlight"><pre><span></span><code>[INFO] 1 Master Node Security Configuration
[INFO] 1.1 Master Node Configuration Files
[FAIL] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
**permissions=777**
</code></pre></div></p>
<p><strong>Note:</strong> <code>--noresults</code> <code>--noremediations</code> and <code>--include-test-output</code> <strong>will not</strong> effect the json output but only stdout.
Only <code>--nototals</code> will effect the json output and thats because it will not call the function to calculate totals. </p>
<h4 id="troubleshooting">Troubleshooting</h4>
<p>Running <code>kube-bench</code> with the <code>-v 3</code> parameter will generate debug logs that can be very helpful for debugging problems.</p>
<p>If you are using one of the example <code>job*.yaml</code> files, you will need to edit the <code>command</code> field, for example <code>["kube-bench", "-v", "3"]</code>. Once the job has run, the logs can be retrieved using <code>kubectl logs</code> on the job's pod.</p>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "..", "features": [], "search": "../assets/javascripts/workers/search.6c7302c4.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"method": "mike", "provider": "mike"}}</script>
<script src="../assets/javascripts/bundle.10c6cd24.min.js"></script>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink