functest_kubernetes/security/kube-bench.yaml

   1 ---
   2 apiVersion: batch/v1
   3 kind: Job
   4 metadata:
   5   name: kube-bench
   6 spec:
   7   template:
   8     metadata:
   9       labels:
  10         app: kube-bench
  11     spec:
  12       hostPID: true
  13       containers:
  14         - name: kube-bench
  15           image: aquasec/kube-bench:0.3.1
  16           command: ["kube-bench"]
  17           args: ["--json"]
  18           volumeMounts:
  19             - name: var-lib-etcd
  20               mountPath: /var/lib/etcd
  21               readOnly: true
  22             - name: var-lib-kubelet
  23               mountPath: /var/lib/kubelet
  24               readOnly: true
  25             - name: etc-systemd
  26               mountPath: /etc/systemd
  27               readOnly: true
  28             - name: etc-kubernetes
  29               mountPath: /etc/kubernetes
  30               readOnly: true
  31               # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
  32               # You can omit this mount if you specify --version as part of the command.
  33             - name: usr-bin
  34               mountPath: /usr/local/mount-from-host/bin
  35               readOnly: true
  36       restartPolicy: Never
  37       volumes:
  38         - name: var-lib-etcd
  39           hostPath:
  40             path: "/var/lib/etcd"
  41         - name: var-lib-kubelet
  42           hostPath:
  43             path: "/var/lib/kubelet"
  44         - name: etc-systemd
  45           hostPath:
  46             path: "/etc/systemd"
  47         - name: etc-kubernetes
  48           hostPath:
  49             path: "/etc/kubernetes"
  50         - name: usr-bin
  51           hostPath:
  52             path: "/usr/bin"