Code Review / functest-kubernetes.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Update kube bench test cases to latest dev
[functest-kubernetes.git] / functest_kubernetes / security / kube-bench-node.yaml
1 ---
2 apiVersion: batch/v1
3 kind: Job
4 metadata:
5   name: kube-bench-node
6 spec:
7   template:
8     spec:
9       hostPID: true
10       containers:
11         - name: kube-bench
12           image: {{ dockerhub_repo }}/aquasec/kube-bench:latest
13           command: ["kube-bench", "run", "--targets", "node", "--json"]
14           volumeMounts:
15             - name: var-lib-etcd
16               mountPath: /var/lib/etcd
17               readOnly: true
18             - name: var-lib-kubelet
19               mountPath: /var/lib/kubelet
20               readOnly: true
21             - name: var-lib-kube-scheduler
22               mountPath: /var/lib/kube-scheduler
23               readOnly: true
24             - name: var-lib-kube-controller-manager
25               mountPath: /var/lib/kube-controller-manager
26               readOnly: true
27             - name: etc-systemd
28               mountPath: /etc/systemd
29               readOnly: true
30             - name: lib-systemd
31               mountPath: /lib/systemd/
32               readOnly: true
33             - name: srv-kubernetes
34               mountPath: /srv/kubernetes/
35               readOnly: true
36             - name: etc-kubernetes
37               mountPath: /etc/kubernetes
38               readOnly: true
39               # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
40               # You can omit this mount if you specify --version as part of the command.
41             - name: usr-bin
42               mountPath: /usr/local/mount-from-host/bin
43               readOnly: true
44             - name: etc-cni-netd
45               mountPath: /etc/cni/net.d/
46               readOnly: true
47             - name: opt-cni-bin
48               mountPath: /opt/cni/bin/
49               readOnly: true
50       restartPolicy: Never
51       volumes:
52         - name: var-lib-etcd
53           hostPath:
54             path: "/var/lib/etcd"
55         - name: var-lib-kubelet
56           hostPath:
57             path: "/var/lib/kubelet"
58         - name: var-lib-kube-scheduler
59           hostPath:
60             path: "/var/lib/kube-scheduler"
61         - name: var-lib-kube-controller-manager
62           hostPath:
63             path: "/var/lib/kube-controller-manager"
64         - name: etc-systemd
65           hostPath:
66             path: "/etc/systemd"
67         - name: lib-systemd
68           hostPath:
69             path: "/lib/systemd"
70         - name: srv-kubernetes
71           hostPath:
72             path: "/srv/kubernetes"
73         - name: etc-kubernetes
74           hostPath:
75             path: "/etc/kubernetes"
76         - name: usr-bin
77           hostPath:
78             path: "/usr/bin"
79         - name: etc-cni-netd
80           hostPath:
81             path: "/etc/cni/net.d/"
82         - name: opt-cni-bin
83           hostPath:
84             path: "/opt/cni/bin/"