functest_kubernetes/security/kube-bench.yaml

   1 ---
   2 apiVersion: batch/v1
   3 kind: Job
   4 metadata:
   5   name: kube-bench
   6 spec:
   7   template:
   8     metadata:
   9       labels:
  10         app: kube-bench
  11     spec:
  12       hostPID: true
  13       containers:
  14         - name: kube-bench
  15           image: aquasec/kube-bench:0.3.1
  16           command: ["kube-bench"]
  17           volumeMounts:
  18             - name: var-lib-etcd
  19               mountPath: /var/lib/etcd
  20               readOnly: true
  21             - name: var-lib-kubelet
  22               mountPath: /var/lib/kubelet
  23               readOnly: true
  24             - name: etc-systemd
  25               mountPath: /etc/systemd
  26               readOnly: true
  27             - name: etc-kubernetes
  28               mountPath: /etc/kubernetes
  29               readOnly: true
  30               # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
  31               # You can omit this mount if you specify --version as part of the command.
  32             - name: usr-bin
  33               mountPath: /usr/local/mount-from-host/bin
  34               readOnly: true
  35       restartPolicy: Never
  36       volumes:
  37         - name: var-lib-etcd
  38           hostPath:
  39             path: "/var/lib/etcd"
  40         - name: var-lib-kubelet
  41           hostPath:
  42             path: "/var/lib/kubelet"
  43         - name: etc-systemd
  44           hostPath:
  45             path: "/etc/systemd"
  46         - name: etc-kubernetes
  47           hostPath:
  48             path: "/etc/kubernetes"
  49         - name: usr-bin
  50           hostPath:
  51             path: "/usr/bin"