Run kube-bench outside the cluster as a standalone using CLI and Kubeconfig?

[saisatishkarra]

Discussed in #712

I am trying to check and run kube-bench as a standalone process outside the k8s cluster by leveraging the kubeconfig file accessible to provide cluster context.

The goal is NOT to use /install the trivy-operator / run kube-bench as a job / pod within the cluster as k8s workload.

Q&A:

Is it possible (Supported / Unsupported) to run kube-bench as a standalone CLI scan targeting clusters in kubeconfig?
If supported, is there a list of RBAC access rules needed to achieve this?
If supported, How can kube-bench running as standalone target specific nodes within cluster for node CIS benchmarks as there is no way to specifying the mount paths to a standalone CLI leveraging kubeconfig?

### Tasks

[mozillazg]

@saisatishkarra It is Unsupported to run kube-bench as a standalone CLI scan targeting clusters in kubeconfig. As you say, we can not scan files on a node without running on the node. If you don't want to create a pod, you can use ssh to copy and run kube-bench on the remote node.

[saisatishkarra]

@mozillazg Thanks for clarifying. Is there any plan to use a common interface for kube-bench and support something similar to trivy k8s cluster --compliaance <> --disable-node-collector which seems to use kubeconfig and can be run as standalone. This probably skips a few checks that might not be supported unless run as a pod. However, it provides a graceful execution path to instead of failing to run completely.

[mozillazg]

We don't have a plan to support it. #1432 (comment)