diff --git a/Dockerfile b/Dockerfile index 10f16761ba75a39997c17372c1a3707496f20aca..0a0fbad8ba902d4ea7940d1411e923e607c11cce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,22 @@ -FROM golang:1.9 -WORKDIR /kube-bench -RUN go get github.com/aquasecurity/kube-bench +FROM golang:1.9 AS build +WORKDIR /go/src/github.com/aquasecurity/kube-bench/ +ADD glide.lock glide.yaml ./ +RUN go get github.com/Masterminds/glide && glide install +ADD main.go . +ADD check/ check/ +ADD cmd/ cmd/ +RUN CGO_ENABLED=0 go install -a -ldflags '-w' -FROM alpine:latest -WORKDIR / -COPY --from=0 /go/bin/kube-bench /kube-bench -COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/cfg /cfg -COPY --from=0 /go/src/github.com/aquasecurity/kube-bench/entrypoint.sh /entrypoint.sh -ENTRYPOINT /entrypoint.sh +FROM alpine:3.7 AS run +WORKDIR /opt/kube-bench/ +# add GNU ps for -C, -o cmd, and --no-headers support +# https://github.com/aquasecurity/kube-bench/issues/109 +RUN apk --no-cache add procps +COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench +ADD entrypoint.sh . +ADD cfg/ cfg/ +ENTRYPOINT ["./entrypoint.sh"] +CMD ["install"] # Build-time metadata as defined at http://label-schema.org ARG BUILD_DATE diff --git a/README.md b/README.md index 8044422dad1c9a68543bec47f104441c58a7c4bb..45211837e8bb7372c67d6bd2ba5c9ebf81bfae72 100644 --- a/README.md +++ b/README.md @@ -19,10 +19,31 @@ kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7 and You can either install kube-bench through a dedicated container, or compile it from source: -1. Container installation: -Run ```docker run --rm -v `pwd`:/host aquasec/kube-bench:latest```. This will copy the kube-bench binary and configuration to you host. You can then run ```./kube-bench <master|node>```. +### Running inside a container + +You can avoid installing kube-bench entirely by running it inside a container using the host PID namespace. + +``` +docker run --pid=host aquasec/kube-bench:latest <master|node> +``` + +You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` + +``` +docker run --pid=host -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node> +``` + +### Installing from a container + +If you want to install a pre-built kube-bench, you can copy the kube-bench binary and configuration files to your host from the Docker container: +``` +docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install +``` + +You can then run `./kube-bench <master|node>`. This should work for any Linux distribution, including Alpine. + +### Installing from sources -2. Install from sources: If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your [$GOPATH is set](https://github.com/golang/go/wiki/GOPATH)): ```go get github.com/aquasecurity/kube-bench diff --git a/entrypoint.sh b/entrypoint.sh index ad28fbff317edda608e53e040f37eb7b51ddecf7..43420e0b38705b39688cbbaef0f1a35e7858ff5a 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,14 +1,19 @@ #!/bin/sh -if [ -d /host ]; then - mkdir -p /host/cfg/ - yes | cp -rf /cfg/* /host/cfg/ - yes | cp -rf /kube-bench /host/ - echo "===============================================" - echo "kube-bench is now installed on your host " - echo "Run ./kube-bench to perform a security check " - echo "===============================================" +if [ "$1" == "install" ]; then + if [ -d /host ]; then + mkdir -p /host/cfg/ + yes | cp -rf /cfg/* /host/cfg/ + yes | cp -rf /kube-bench /host/ + echo "===============================================" + echo "kube-bench is now installed on your host " + echo "Run ./kube-bench to perform a security check " + echo "===============================================" + else + echo "Usage:" + echo " install: docker run --rm -v \`pwd\`:/host aquasec/kube-bench install" + echo " run: docker run --rm --pid=host aquasec/kube-bench [command]" + exit + fi else - echo "Usage:" - echo " docker run --rm -v \`pwd\`:/host aquasec/kube-bench" - exit + exec kube-bench "$@" fi diff --git a/hooks/build b/hooks/build old mode 100644 new mode 100755