functest_kubernetes/security/kube-bench-node.yaml

   1 ---
   2 apiVersion: batch/v1
   3 kind: Job
   4 metadata:
   5   name: kube-bench-node
   6 spec:
   7   template:
   8     spec:
   9       hostPID: true
  10       containers:
  11         - name: kube-bench
  12           image: aquasec/kube-bench:0.3.1
  13           command: ["kube-bench", "node", "--json"]
  14           volumeMounts:
  15             - name: var-lib-kubelet
  16               mountPath: /var/lib/kubelet
  17               readOnly: true
  18             - name: etc-systemd
  19               mountPath: /etc/systemd
  20               readOnly: true
  21             - name: etc-kubernetes
  22               mountPath: /etc/kubernetes
  23               readOnly: true
  24               # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
  25               # You can omit this mount if you specify --version as part of the command.
  26             - name: usr-bin
  27               mountPath: /usr/local/mount-from-host/bin
  28               readOnly: true
  29       restartPolicy: Never
  30       volumes:
  31         - name: var-lib-kubelet
  32           hostPath:
  33             path: "/var/lib/kubelet"
  34         - name: etc-systemd
  35           hostPath:
  36             path: "/etc/systemd"
  37         - name: etc-kubernetes
  38           hostPath:
  39             path: "/etc/kubernetes"
  40         - name: usr-bin
  41           hostPath:
  42             path: "/usr/bin"