From 040c137c9d1aae4763692cf88e2b46a2c69e47c8 Mon Sep 17 00:00:00 2001 From: Deepanshu Bhatia Date: Thu, 30 Jan 2025 02:59:04 +0530 Subject: [PATCH] Add other resources needed for kube-bench pod --- job-ocp.yaml | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 78 insertions(+), 1 deletion(-) diff --git a/job-ocp.yaml b/job-ocp.yaml index cd05ecc..7bcd87b 100644 --- a/job-ocp.yaml +++ b/job-ocp.yaml @@ -1,15 +1,92 @@ --- +apiVersion: v1 +kind: Namespace +metadata: + name: kube-bench +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: kube-bench + name: kube-bench-sa + namespace: kube-bench +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kube-bench + name: kube-bench-cluster-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - 'get' + - 'list' +- apiGroups: + - '*' + resources: + - 'pods/exec' + verbs: + - 'create' +- apiGroups: + - '*' + resources: + - 'pods' + - 'namespaces' + verbs: + - 'create' + - 'delete' + - 'watch' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kube-bench + name: kube-bench-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-bench-cluster-role +subjects: +- kind: ServiceAccount + name: kube-bench-sa + # It is mandatory to give namespace here and it doesn't pick the one mentioned in kubeconfig file. + namespace: kube-bench +# In kube-bench pod for Openshift, oc cli creates random namespaces to deploy debug pods for CIS checks. +# So, it will need privileged access. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: kube-bench + name: kube-bench-privileged +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: kube-bench-sa + namespace: kube-bench +--- apiVersion: batch/v1 kind: Job metadata: name: kube-bench + namespace: kube-bench spec: template: metadata: labels: app: kube-bench spec: - serviceAccountName: kube-bench + serviceAccountName: kube-bench-sa automountServiceAccountToken: true containers: - command: ["kube-bench"]