mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 23:58:06 +00:00
Set all host-mounted volumes to be read-only. (#569)
By setting all host-mounted volumes to be read-only we reduce the likelihood any host filesystem is modified by running kube-bench.
This commit is contained in:
parent
037bb14729
commit
77f66511e7
@ -15,10 +15,13 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
readOnly: true
|
||||||
- name: etc-systemd
|
- name: etc-systemd
|
||||||
mountPath: /etc/systemd
|
mountPath: /etc/systemd
|
||||||
|
readOnly: true
|
||||||
- name: etc-kubernetes
|
- name: etc-kubernetes
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes
|
||||||
|
readOnly: true
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
volumes:
|
volumes:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
|
@ -14,10 +14,13 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
readOnly: true
|
||||||
- name: etc-systemd
|
- name: etc-systemd
|
||||||
mountPath: /etc/systemd
|
mountPath: /etc/systemd
|
||||||
|
readOnly: true
|
||||||
- name: etc-kubernetes
|
- name: etc-kubernetes
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes
|
||||||
|
readOnly: true
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
volumes:
|
volumes:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
|
@ -20,12 +20,15 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
mountPath: /var/lib/etcd
|
mountPath: /var/lib/etcd
|
||||||
|
readOnly: true
|
||||||
- name: etc-kubernetes
|
- name: etc-kubernetes
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes
|
||||||
|
readOnly: true
|
||||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||||
# You can omit this mount if you specify --version as part of the command.
|
# You can omit this mount if you specify --version as part of the command.
|
||||||
- name: usr-bin
|
- name: usr-bin
|
||||||
mountPath: /usr/bin
|
mountPath: /usr/bin
|
||||||
|
readOnly: true
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
volumes:
|
volumes:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
|
@ -14,14 +14,18 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
readOnly: true
|
||||||
- name: etc-systemd
|
- name: etc-systemd
|
||||||
mountPath: /etc/systemd
|
mountPath: /etc/systemd
|
||||||
|
readOnly: true
|
||||||
- name: etc-kubernetes
|
- name: etc-kubernetes
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes
|
||||||
|
readOnly: true
|
||||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||||
# You can omit this mount if you specify --version as part of the command.
|
# You can omit this mount if you specify --version as part of the command.
|
||||||
- name: usr-bin
|
- name: usr-bin
|
||||||
mountPath: /usr/bin
|
mountPath: /usr/bin
|
||||||
|
readOnly: true
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
volumes:
|
volumes:
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
|
5
job.yaml
5
job.yaml
@ -17,16 +17,21 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
mountPath: /var/lib/etcd
|
mountPath: /var/lib/etcd
|
||||||
|
readOnly: true
|
||||||
- name: var-lib-kubelet
|
- name: var-lib-kubelet
|
||||||
mountPath: /var/lib/kubelet
|
mountPath: /var/lib/kubelet
|
||||||
|
readOnly: true
|
||||||
- name: etc-systemd
|
- name: etc-systemd
|
||||||
mountPath: /etc/systemd
|
mountPath: /etc/systemd
|
||||||
|
readOnly: true
|
||||||
- name: etc-kubernetes
|
- name: etc-kubernetes
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes
|
||||||
|
readOnly: true
|
||||||
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||||
# You can omit this mount if you specify --version as part of the command.
|
# You can omit this mount if you specify --version as part of the command.
|
||||||
- name: usr-bin
|
- name: usr-bin
|
||||||
mountPath: /usr/bin
|
mountPath: /usr/bin
|
||||||
|
readOnly: true
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
volumes:
|
volumes:
|
||||||
- name: var-lib-etcd
|
- name: var-lib-etcd
|
||||||
|
Loading…
Reference in New Issue
Block a user