diff options
author | mrichomme <morgan.richomme@orange.com> | 2020-02-10 17:49:43 +0100 |
---|---|---|
committer | Cédric Ollivier <cedric.ollivier@orange.com> | 2020-07-01 23:05:41 +0200 |
commit | 5d10d8e987e102a84699b8d8c16fbd7d6c04272f (patch) | |
tree | ac04f84ddfd596b65ebdddcb01d4e0026d2be988 /functest_kubernetes/security/kube-bench.yaml | |
parent | 39f68c9425a806cbfef863db29d8cb1a0cefed84 (diff) |
Add security docker for functest-kubernetes
run kube-hunter and kube-bench cases dealing with security in kubernetes (check
vulnerabilities) [1][2]
It's the first step only printing the output.
[1]: https://github.com/aquasecurity/kube-bench
[2]: https://github.com/aquasecurity/kube-hunter
Co-Authored-By: Cédric Ollivier <cedric.ollivier@orange.com>
Change-Id: I3bd9bda80046ef7a0c494d51dfb0b8cbfea02bb0
Signed-off-by: mrichomme <morgan.richomme@orange.com>
(cherry picked from commit 98d9f93337ab514fa9aafc1cd1e87473de68b364)
(cherry picked from commit 0626f54b8686134515eab3b9014c5b538405d84f)
(cherry picked from commit a7191389900b58f50e428af47e6819f30ba07d8f)
Diffstat (limited to 'functest_kubernetes/security/kube-bench.yaml')
-rw-r--r-- | functest_kubernetes/security/kube-bench.yaml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench.yaml new file mode 100644 index 00000000..ec42ba16 --- /dev/null +++ b/functest_kubernetes/security/kube-bench.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + metadata: + labels: + app: kube-bench + spec: + hostPID: true + containers: + - name: kube-bench + image: aquasec/kube-bench:latest + command: ["kube-bench"] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + readOnly: true + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" |