Copy the URI of your pushed image, the URI format is like this.Use the kubectl-enter plugin to shell into a nodeĬould open nsg 22 port and assign a public ip for one agent node (only for testing purpose)Īws ecr get-login-password -region | docker login -username AWS -password-stdin. 1.13.7) with RBAC enabled, otherwise there would be 4 failures Running in an AKS clusterĬreate an AKS cluster(e.g. The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node. This involves setting a nodeSelector and tolerations in the pod spec. To run tests on the master node, the pod needs to be scheduled on that node. # Wait for a few seconds for the job to complete Kube-bench-j76s9 0/1 ContainerCreating 0 3s You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the /etc and /var directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments. It is impossible to inspect the master nodes of managed clusters, e.g. Kube-bench also attempts to identify the components running on the node, and uses this to determine which tests to run (for example, only running the master node tests if the node is running an API server). For example, Kubernetes version 1.15 is mapped to CIS Benchmark version cis-1.15 which is the benchmark version valid for Kubernetes 1.15. If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config files.īy default kube-bench attempts to auto-detect the running version of Kubernetes, and map this to the corresponding CIS Benchmark version.
0 kommentar(er)
