kube-bench installation on OpenShift 3.11

[adshafqat]

When I try to run kube-bench in OpenShift, the container creation failed and I see this error

Error: failed to start container "kube-bench": Error response from daemon: oci runtime error: container_linux.go:235: starting container process caused "exec: "kube-bench": executable file not found in $PATH"

Any idea what could be the reason of this issue?

Below you can find the content of job.yaml file

apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: docker-registry.default.svc:5000/openshift/kube-bench:latest
command: ["kube-bench"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
restartPolicy: Never
nodeSelector:
node-role.kubernetes.io/master: 'true'
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"

[mozillazg]

image: docker-registry.default.svc:5000/openshift/kube-bench:latest

Could you show me the content of Dockerfile? And what is the CPU arch of your OpenShift cluster?

[adshafqat]

I downloaded the image from Docker hub and uploaded it in my local registry. This is not a custom image. I am running the job on 3.11 Master node which is a 64 bit RHEL vSphere VM

[mozillazg]

Please change command: ["kube-bench"] to command: ["/usr/local/bin/kube-bench"] then apply the new job yaml.

If it still has error, change command: ["kube-bench"] to command: ["sleep", "1024"] and apply the new yaml then into the new pod container via kubectl exec -it <pod_name> sh, check results of blow commands in the container:

• echo $PATH
• ls /usr/local/bin/kube-bench

[adshafqat]

I changed value to command: ["/usr/local/bin/kube-bench"] and it didn't work

Error: failed to start container "kube-bench": Error response from daemon: oci runtime error: container_linux.go:235: starting container process caused "exec: "/usr/local/bin/kube-bench": stat /usr/local/bin/kube-bench: no such file or directory"

When I change command to command: ["sleep", "1024"], I see this

[root@dvraosmsw01 kube-bench]# oc get pods
NAME READY STATUS RESTARTS AGE
kube-bench-qmh9v 1/1 Running 0 1m
[root@dvraosmsw01 kube-bench]# kubectl exec -it kube-bench-qmh9v sh
sh-4.2# echo $PATH
/:/bin:/usr/bin:/usr/local/bin
sh-4.2# ls /usr/local/bin/kube-bench
ls: cannot access /usr/local/bin/kube-bench: No such file or directory
sh-4.2#

[mozillazg]

@adshafqat Looks like you didn't use the latest version of kube-bench. Here is my test for kube-bench image:

$ docker pull aquasec/kube-bench:latest
latest: Pulling from aquasec/kube-bench
Digest: sha256:a70d4fae1d6979bc4fa6f6c687ecefed260a0b245b26256cbe42379862f6db51
Status: Image is up to date for aquasec/kube-bench:latest
docker.io/aquasec/kube-bench:latest

$ docker run --rm -it --entrypoint sh  aquasec/kube-bench:latest
WARNING: IPv4 forwarding is disabled. Networking will not work.
/opt/kube-bench # echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/mount-from-host/bin
/opt/kube-bench # ls /usr/local/bin/kube-bench
/usr/local/bin/kube-bench

I downloaded the image from Docker hub and uploaded it in my local registry. This is not a custom image.

Could you try downloading the docker.io/aquasec/kube-bench:latest image then upload it to your local registry and try again?