template:
spec:
hostPID: true
- nodeSelector:
- node-role.kubernetes.io/master: ""
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ - matchExpressions:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ effect: NoSchedule
containers:
- name: kube-bench
- image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
- command: ["kube-bench", "master", "--json"]
+ image: {{ dockerhub_repo }}/aquasec/kube-bench:v0.6.9
+ command: ["kube-bench", "run", "--targets", "master", "--json"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
+ - name: var-lib-kubelet
+ mountPath: /var/lib/kubelet
+ readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
+ - name: etc-systemd
+ mountPath: /etc/systemd
+ readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
+ - name: etc-passwd
+ mountPath: /etc/passwd
+ readOnly: true
+ - name: etc-group
+ mountPath: /etc/group
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
+ - name: var-lib-kubelet
+ hostPath:
+ path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
+ - name: etc-systemd
+ hostPath:
+ path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"
+ - name: etc-passwd
+ hostPath:
+ path: "/etc/passwd"
+ - name: etc-group
+ hostPath:
+ path: "/etc/group"
hostPID: true
containers:
- name: kube-bench
- image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
- command: ["kube-bench", "node", "--json"]
+ image: {{ dockerhub_repo }}/aquasec/kube-bench:v0.6.9
+ command: ["kube-bench", "run", "--targets", "node", "--json"]
volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
+ - name: var-lib-kube-scheduler
+ mountPath: /var/lib/kube-scheduler
+ readOnly: true
+ - name: var-lib-kube-controller-manager
+ mountPath: /var/lib/kube-controller-manager
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
+ - name: lib-systemd
+ mountPath: /lib/systemd/
+ readOnly: true
+ - name: srv-kubernetes
+ mountPath: /srv/kubernetes/
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
+ - name: etc-cni-netd
+ mountPath: /etc/cni/net.d/
+ readOnly: true
+ - name: opt-cni-bin
+ mountPath: /opt/cni/bin/
+ readOnly: true
restartPolicy: Never
volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
+ - name: var-lib-kube-scheduler
+ hostPath:
+ path: "/var/lib/kube-scheduler"
+ - name: var-lib-kube-controller-manager
+ hostPath:
+ path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
+ - name: lib-systemd
+ hostPath:
+ path: "/lib/systemd"
+ - name: srv-kubernetes
+ hostPath:
+ path: "/srv/kubernetes"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
+ - name: etc-cni-netd
+ hostPath:
+ path: "/etc/cni/net.d/"
+ - name: opt-cni-bin
+ hostPath:
+ path: "/opt/cni/bin/"
header_style='upper', padding_width=5,
field_names=['node_type', 'version', 'test_desc', 'pass',
'fail', 'warn'])
- for details in self.details["report"]:
+ for details in self.details["report"]["Controls"]:
for test in details['tests']:
msg.add_row(
[details['node_type'], details['version'], test['desc'],
Code Review / functest-kubernetes.git / commitdiff