From af7ad90477a18f31d56d94d82d16ef6e776651d0 Mon Sep 17 00:00:00 2001
From: Colin GILLE <congelli501@gmail.com>
Date: Mon, 31 Dec 2018 16:39:31 +0100
Subject: [PATCH] Advise the use to mount /etc & /var read only for docker
 usage

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6309426..d590d12 100644
--- a/README.md
+++ b/README.md
@@ -28,13 +28,13 @@ You can choose to
 You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host, so that kube-bench can check their existence and permissions.
 
 ```
-docker run --pid=host -v /etc:/etc -v /var:/var -t aquasec/kube-bench:latest <master|node>
+docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest <master|node>
 ```
 
 You can even use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
 
 ```
-docker run --pid=host -v /etc:/etc -v /var:/var -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
+docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest <master|node>
 ```
 
 > Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
-- 
GitLab