EKS instructions to use a ConfigMap rather than bake in config

[mkandelaars]

The new integration for kube-bench with AWS Security Hub and EKS is great, and I have some suggestions for improvement on the documentation. Specifically around the recommendations here to edit the cfg/eks-1.0/config.yaml and bake in AWS account information directly to the container image.

This is fine on a single cluster environment, but doesn't scale well for multiple clusters using a shared container repository.
An alternative would be to store this cluster specific content in a ConfigMap (example below), and mount this as a Volume in the Job spec to insert the configuration. This allows the same container image to be used across multiple clusters. I've validated this and it works well.

No core code changes, but perhaps it would be good to create a separate job-eks-asff.yaml file as well which creates the ConfigMap and has the volumeMounts added in for ease of use.

I'm happy to do some rewording of the documentation and make a PR, but wanted to raise it as an issue first to see if others agree. :) 

Suggested new job-eks-asff.yaml file...

apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-bench-eks-config
data:
  config.yaml: |
    AWS_ACCOUNT: "<account_id>"
    AWS_REGION: "<region>"
    CLUSTER_ARN: "<cluster_arn>"

---

apiVersion: batch/v1
kind: Job
metadata:
  name: kube-bench
spec:
  template:
    spec:
      hostPID: true
      containers:
        - name: kube-bench
        - name: kube-bench
          # Push the image to your ECR and then refer to it here
          image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
          command: ["kube-bench", "node", "--benchmark", "eks-1.0", "--asff"]
          volumeMounts:
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
              readOnly: true
            - name: etc-systemd
              mountPath: /etc/systemd
              readOnly: true
            - name: etc-kubernetes
              mountPath: /etc/kubernetes
              readOnly: true
            - name: kube-bench-eks-config
              mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml"
              subPath: config.yaml
              readOnly: true
      restartPolicy: Never
      volumes:
        - name: var-lib-kubelet
          hostPath:
            path: "/var/lib/kubelet"
        - name: etc-systemd
          hostPath:
            path: "/etc/systemd"
        - name: etc-kubernetes
          hostPath:
            path: "/etc/kubernetes"
        - name: kube-bench-eks-config
          configMap:
            name: kube-bench-eks-config
            items:
            - key: config.yaml
              path: config.yaml

[ismailyenigul]

Hi @mkandelaars

Did you test your configmap solution in EKS? Is it working fine?

[dulltz]

It worked correctly in my environment.

[lizrice]

Merged in #794 - we now have a job for running on EKS and submitting the report to Security Hub. Thank you for this @mkandelaars!