Add security docker for functest-kubernetes

run kube-hunter and kube-bench cases dealing with security in kubernetes (check vulnerabilities) [1][2] It's the first step only printing the output. [1]: https://github.com/aquasecurity/kube-bench [2]: https://github.com/aquasecurity/kube-hunter Co-Authored-By: Cédric Ollivier <cedric.ollivier@orange.com> Change-Id: I3bd9bda80046ef7a0c494d51dfb0b8cbfea02bb0 Signed-off-by: mrichomme <morgan.richomme@orange.com> (cherry picked from commit 98d9f93337ab514fa9aafc1cd1e87473de68b364) (cherry picked from commit 0626f54b8686134515eab3b9014c5b538405d84f) (cherry picked from commit a7191389900b58f50e428af47e6819f30ba07d8f)
author: mrichomme <morgan.richomme@orange.com> 2020-02-10 17:49:43 +0100
committer: Cédric Ollivier <cedric.ollivier@orange.com> 2020-07-01 23:05:41 +0200
commit: 5d10d8e987e102a84699b8d8c16fbd7d6c04272f (patch)
tree: ac04f84ddfd596b65ebdddcb01d4e0026d2be988 /functest_kubernetes/security/kube-bench.yaml
parent: 39f68c9425a806cbfef863db29d8cb1a0cefed84 (diff)
1 files changed, 51 insertions, 0 deletions
diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench.yaml
new file mode 100644
index 00000000..ec42ba16
--- /dev/null
+++ b/functest_kubernetes/security/kube-bench.yaml
@@ -0,0 +1,51 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kube-bench
+spec:
+  template:
+    metadata:
+      labels:
+        app: kube-bench
+    spec:
+      hostPID: true
+      containers:
+        - name: kube-bench
+          image: aquasec/kube-bench:latest
+          command: ["kube-bench"]
+          volumeMounts:
+            - name: var-lib-etcd
+              mountPath: /var/lib/etcd
+              readOnly: true
+            - name: var-lib-kubelet
+              mountPath: /var/lib/kubelet
+              readOnly: true
+            - name: etc-systemd
+              mountPath: /etc/systemd
+              readOnly: true
+            - name: etc-kubernetes
+              mountPath: /etc/kubernetes
+              readOnly: true
+              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+              # You can omit this mount if you specify --version as part of the command.
+            - name: usr-bin
+              mountPath: /usr/local/mount-from-host/bin
+              readOnly: true
+      restartPolicy: Never
+      volumes:
+        - name: var-lib-etcd
+          hostPath:
+            path: "/var/lib/etcd"
+        - name: var-lib-kubelet
+          hostPath:
+            path: "/var/lib/kubelet"
+        - name: etc-systemd
+          hostPath:
+            path: "/etc/systemd"
+        - name: etc-kubernetes
+          hostPath:
+            path: "/etc/kubernetes"
+        - name: usr-bin
+          hostPath:
+            path: "/usr/bin"
author	mrichomme <morgan.richomme@orange.com>	2020-02-10 17:49:43 +0100
committer	Cédric Ollivier <cedric.ollivier@orange.com>	2020-07-01 23:05:41 +0200
commit	5d10d8e987e102a84699b8d8c16fbd7d6c04272f (patch)
tree	ac04f84ddfd596b65ebdddcb01d4e0026d2be988 /functest_kubernetes/security/kube-bench.yaml
parent	39f68c9425a806cbfef863db29d8cb1a0cefed84 (diff)