From fd52b38a2144404f4b9e8b82347839f6958db16b Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 13 Nov 2024 20:57:54 +0000 Subject: [PATCH] ci: add kube-bench job template --- docs/kube-bench.yaml | 73 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 docs/kube-bench.yaml diff --git a/docs/kube-bench.yaml b/docs/kube-bench.yaml new file mode 100644 index 00000000..c01ca18e --- /dev/null +++ b/docs/kube-bench.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + metadata: + labels: + app: kube-bench + spec: + containers: + - command: ["kube-bench"] + image: docker.io/aquasec/kube-bench:v0.9.1 + name: kube-bench + volumeMounts: + - name: var-lib-cni + mountPath: /var/lib/cni + readOnly: true + - mountPath: /var/lib/etcd + name: var-lib-etcd + readOnly: true + - mountPath: /var/lib/kubelet + name: var-lib-kubelet + readOnly: true + - mountPath: /var/lib/kube-scheduler + name: var-lib-kube-scheduler + readOnly: true + - mountPath: /var/lib/kube-controller-manager + name: var-lib-kube-controller-manager + readOnly: true + - mountPath: /etc/kubernetes + name: etc-kubernetes + readOnly: true + - mountPath: /usr/local/mount-from-host/bin + name: usr-bin + readOnly: true + - mountPath: /etc/cni/net.d/ + name: etc-cni-netd + readOnly: true + - mountPath: /opt/cni/bin/ + name: opt-cni-bin + readOnly: true + hostPID: true + restartPolicy: Never + volumes: + - name: var-lib-cni + hostPath: + path: /var/lib/cni + - hostPath: + path: /var/lib/etcd + name: var-lib-etcd + - hostPath: + path: /var/lib/kubelet + name: var-lib-kubelet + - hostPath: + path: /var/lib/kube-scheduler + name: var-lib-kube-scheduler + - hostPath: + path: /var/lib/kube-controller-manager + name: var-lib-kube-controller-manager + - hostPath: + path: /etc/kubernetes + name: etc-kubernetes + - hostPath: + path: /usr/bin + name: usr-bin + - hostPath: + path: /etc/cni/net.d/ + name: etc-cni-netd + - hostPath: + path: /usr/libexec/cni + name: opt-cni-bin