diff options
author | Cédric Ollivier <cedric.ollivier@orange.com> | 2020-09-13 14:53:26 +0200 |
---|---|---|
committer | Cédric Ollivier <cedric.ollivier@orange.com> | 2020-09-13 17:00:33 +0200 |
commit | e73fb855bdf559882bb7fc46811a92eb9f3c5d0b (patch) | |
tree | 8ce9a18d5e78f005cd395ca5d1a65eae0584fb6b /functest_kubernetes/security | |
parent | 58eeabaf065676e9ae6a55bc6aa8a17182034164 (diff) |
Split kube-bench master and node
The former deployment asked for all-in-one.
Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
(cherry picked from commit bced94b6fe24c7e939fb22834deb77477e4a9bb9)
Diffstat (limited to 'functest_kubernetes/security')
-rw-r--r-- | functest_kubernetes/security/kube-bench-master.yaml | 42 | ||||
-rw-r--r-- | functest_kubernetes/security/kube-bench-node.yaml (renamed from functest_kubernetes/security/kube-bench.yaml) | 14 | ||||
-rw-r--r-- | functest_kubernetes/security/security.py | 5 |
3 files changed, 45 insertions, 16 deletions
diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml new file mode 100644 index 00000000..755e2923 --- /dev/null +++ b/functest_kubernetes/security/kube-bench-master.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-master +spec: + template: + spec: + hostPID: true + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: kube-bench + image: aquasec/kube-bench:0.3.1 + command: ["kube-bench", "master", "--json"] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench-node.yaml index 2f2c57d6..306ad600 100644 --- a/functest_kubernetes/security/kube-bench.yaml +++ b/functest_kubernetes/security/kube-bench-node.yaml @@ -2,23 +2,16 @@ apiVersion: batch/v1 kind: Job metadata: - name: kube-bench + name: kube-bench-node spec: template: - metadata: - labels: - app: kube-bench spec: hostPID: true containers: - name: kube-bench image: aquasec/kube-bench:0.3.1 - command: ["kube-bench"] - args: ["--json"] + command: ["kube-bench", "node", "--json"] volumeMounts: - - name: var-lib-etcd - mountPath: /var/lib/etcd - readOnly: true - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true @@ -35,9 +28,6 @@ spec: readOnly: true restartPolicy: Never volumes: - - name: var-lib-etcd - hostPath: - path: "/var/lib/etcd" - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py index 64aa4150..e590d059 100644 --- a/functest_kubernetes/security/security.py +++ b/functest_kubernetes/security/security.py @@ -191,11 +191,8 @@ class KubeBench(SecurityTesting): __logger = logging.getLogger(__name__) - def __init__(self, **kwargs): - super(KubeBench, self).__init__(**kwargs) - self.job_name = "kube-bench" - def run(self, **kwargs): + self.job_name = "kube-bench-{}".format(kwargs.get("target", "node")) super(KubeBench, self).run(**kwargs) self.details["report"] = ast.literal_eval(self.pod_log) msg = prettytable.PrettyTable( |