From bced94b6fe24c7e939fb22834deb77477e4a9bb9 Mon Sep 17 00:00:00 2001 From: Cédric Ollivier Date: Sun, 13 Sep 2020 14:53:26 +0200 Subject: Split kube-bench master and node MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The former deployment asked for all-in-one. Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be Signed-off-by: Cédric Ollivier --- functest_kubernetes/security/kube-bench-node.yaml | 42 +++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 functest_kubernetes/security/kube-bench-node.yaml (limited to 'functest_kubernetes/security/kube-bench-node.yaml') diff --git a/functest_kubernetes/security/kube-bench-node.yaml b/functest_kubernetes/security/kube-bench-node.yaml new file mode 100644 index 00000000..306ad600 --- /dev/null +++ b/functest_kubernetes/security/kube-bench-node.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-node +spec: + template: + spec: + hostPID: true + containers: + - name: kube-bench + image: aquasec/kube-bench:0.3.1 + command: ["kube-bench", "node", "--json"] + volumeMounts: + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" -- cgit 1.2.3-korg