The root command will run node checks and if possible master checks. I've also added some Makefile targets to improve local testing and improve the documentation.pull/238/head
parent
0a58805cdb
commit
5baf81a70a
@ -0,0 +1,46 @@
|
||||
# use this pod with: kubectl run ubuntu -it --pid=host -- /bin/bash
|
||||
# this allows you to debug what is running on the host.
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: ubuntu
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: ubuntu
|
||||
image: ubuntu
|
||||
command: [ "/bin/bash", "-c", "--" ]
|
||||
args: [ "while true; do sleep 30; done;" ]
|
||||
volumeMounts:
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||
# You can omit this mount if you specify --version as part of the command.
|
||||
- name: usr-bin
|
||||
mountPath: /usr/bin
|
||||
- name: kind-bin
|
||||
mountPath: /kind/bin
|
||||
resources:
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "500m"
|
||||
volumes:
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: "/var/lib/kubelet"
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: "/etc/systemd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
||||
- name: usr-bin
|
||||
hostPath:
|
||||
path: "/usr/bin"
|
||||
- name: kind-bin
|
||||
hostPath:
|
||||
path: "/kind/bin"
|
@ -0,0 +1,50 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: kube-bench
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: kube-bench
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: kube-bench
|
||||
image: aquasec/kube-bench:${VERSION}
|
||||
command: ["kube-bench"]
|
||||
volumeMounts:
|
||||
- name: var-lib-etcd
|
||||
mountPath: /var/lib/etcd
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||
# You can omit this mount if you specify --version as part of the command.
|
||||
- name: usr-bin
|
||||
mountPath: /usr/bin
|
||||
- name: kind-bin
|
||||
mountPath: /kind/bin
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: var-lib-etcd
|
||||
hostPath:
|
||||
path: "/var/lib/etcd"
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: "/var/lib/kubelet"
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: "/etc/systemd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
||||
- name: usr-bin
|
||||
hostPath:
|
||||
path: "/usr/bin"
|
||||
- name: kind-bin
|
||||
hostPath:
|
||||
path: "/kind/bin"
|
@ -0,0 +1,45 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: kube-bench
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: kube-bench
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: kube-bench
|
||||
image: aquasec/kube-bench:latest
|
||||
command: ["kube-bench"]
|
||||
volumeMounts:
|
||||
- name: var-lib-etcd
|
||||
mountPath: /var/lib/etcd
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||
# You can omit this mount if you specify --version as part of the command.
|
||||
- name: usr-bin
|
||||
mountPath: /usr/bin
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: var-lib-etcd
|
||||
hostPath:
|
||||
path: "/var/lib/etcd"
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: "/var/lib/kubelet"
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: "/etc/systemd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
||||
- name: usr-bin
|
||||
hostPath:
|
||||
path: "/usr/bin"
|
@ -1,7 +1,72 @@
|
||||
SOURCES := $(shell find . -name '*.go')
|
||||
TARGET_OS := linux
|
||||
BINARY := kube-bench
|
||||
DOCKER_REGISTRY ?= aquasec
|
||||
VERSION ?= $(shell git rev-parse --short=7 HEAD)
|
||||
IMAGE_NAME ?= $(DOCKER_REGISTRY)/$(BINARY):$(VERSION)
|
||||
TARGET_OS := linux
|
||||
BUILD_OS := linux
|
||||
uname := $(shell uname -s)
|
||||
|
||||
ifneq ($(findstring Microsoft,$(shell uname -r)),)
|
||||
BUILD_OS := windows
|
||||
else ifeq ($(uname),Linux)
|
||||
BUILD_OS := linux
|
||||
else ifeq ($(uname),Darwin)
|
||||
BUILD_OS := darwin
|
||||
endif
|
||||
|
||||
# kind cluster name to use
|
||||
KIND_PROFILE ?= kube-bench
|
||||
KIND_CONTAINER_NAME=$(KIND_PROFILE)-control-plane
|
||||
|
||||
build: kube-bench
|
||||
|
||||
$(BINARY): $(SOURCES)
|
||||
GOOS=$(TARGET_OS) go build -o $(BINARY) .
|
||||
|
||||
# builds the current dev docker version
|
||||
build-docker:
|
||||
docker build --build-arg BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
|
||||
--build-arg VCS_REF=$(shell git rev-parse --short HEAD) \
|
||||
-t $(IMAGE_NAME) .
|
||||
|
||||
tests:
|
||||
go test -race -timeout 30s -cover ./cmd ./check
|
||||
|
||||
# creates a kind cluster to be used for development.
|
||||
HAS_KIND := $(shell command -v kind;)
|
||||
kind-test-cluster:
|
||||
ifndef HAS_KIND
|
||||
go get -u sigs.k8s.io/kind
|
||||
endif
|
||||
@if [ -z $$(kind get clusters | grep $(KIND_PROFILE)) ]; then\
|
||||
echo "Could not find $(KIND_PROFILE) cluster. Creating...";\
|
||||
kind create cluster --name $(KIND_PROFILE) --image kindest/node:v1.11.3 --wait 5m;\
|
||||
fi
|
||||
|
||||
# pushses the current dev version to the kind cluster.
|
||||
kind-push:
|
||||
docker save $(IMAGE_NAME) -o kube-bench.tar.gz; \
|
||||
docker cp kube-bench.tar.gz $(KIND_CONTAINER_NAME):/kube-bench.tar.gz; \
|
||||
docker exec $(KIND_CONTAINER_NAME) docker load -i /kube-bench.tar.gz;
|
||||
-rm -f kube-bench.tar.gz
|
||||
|
||||
# runs the current version on kind using a job and follow logs
|
||||
kind-run: KUBECONFIG = "$(shell kind get kubeconfig-path --name="$(KIND_PROFILE)")"
|
||||
kind-run: ensure-stern
|
||||
sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind.yaml > ./hack/kind.test.yaml
|
||||
-KUBECONFIG=$(KUBECONFIG) \
|
||||
kubectl delete job kube-bench
|
||||
KUBECONFIG=$(KUBECONFIG) \
|
||||
kubectl apply -f ./hack/kind.test.yaml
|
||||
KUBECONFIG=$(KUBECONFIG) \
|
||||
stern -l app=kube-bench --container kube-bench
|
||||
|
||||
# ensures that stern is installed
|
||||
HAS_STERN := $(shell command -v stern;)
|
||||
ensure-stern:
|
||||
ifndef HAS_STERN
|
||||
curl -LO https://github.com/wercker/stern/releases/download/1.10.0/stern_$(BUILD_OS)_amd64 && \
|
||||
chmod +rx ./stern_$(BUILD_OS)_amd64 && \
|
||||
mv ./stern_$(BUILD_OS)_amd64 /usr/local/bin/stern
|
||||
endif
|
||||
|
Loading…
Reference in new issue