job.yaml: Adding /var/lib/cni mounts for proper CIS 1.1.9 and 1.1.0 checking (#1547)

Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> Signed-off-by: Andrey Pavlov <andrey.pavlov@flant.com> Co-authored-by: Andrey Pavlov <andrey.pavlov@flant.com> Co-authored-by: chenk <hen.keinan@gmail.com>
3 months ago · faeceb5dfa
parent 30217061ac
commit faeceb5dfa
3 changed files with 18 additions and 0 deletions
--- a/job-master.yaml
+++ b/job-master.yaml
@ -29,6 +29,9 @@ spec:
          image: docker.io/aquasec/kube-bench:latest
          command: ["kube-bench", "run", "--targets", "master"]
          volumeMounts:
+            - name: var-lib-cni
+              mountPath: /var/lib/cni
+              readOnly: true
            - name: var-lib-etcd
              mountPath: /var/lib/etcd
              readOnly: true
@ -72,6 +75,9 @@ spec:
              readOnly: true
      restartPolicy: Never
      volumes:
+        - name: var-lib-cni
+          hostPath:
+            path: "/var/lib/cni"
        - name: var-lib-etcd
          hostPath:
            path: "/var/lib/etcd"
--- a/job-node.yaml
+++ b/job-node.yaml
@ -12,6 +12,9 @@ spec:
          image: docker.io/aquasec/kube-bench:latest
          command: ["kube-bench", "run", "--targets", "node"]
          volumeMounts:
+            - name: var-lib-cni
+              mountPath: /var/lib/cni
+              readOnly: true
            - name: var-lib-etcd
              mountPath: /var/lib/etcd
              readOnly: true
@ -49,6 +52,9 @@ spec:
              readOnly: true
      restartPolicy: Never
      volumes:
+        - name: var-lib-cni
+          hostPath:
+            path: "/var/lib/cni"
        - name: var-lib-etcd
          hostPath:
            path: "/var/lib/etcd"
--- a/job.yaml
+++ b/job.yaml
@ -14,6 +14,9 @@ spec:
          image: docker.io/aquasec/kube-bench:v0.7.1
          name: kube-bench
          volumeMounts:
+            - name: var-lib-cni
+              mountPath: /var/lib/cni
+              readOnly: true
            - mountPath: /var/lib/etcd
              name: var-lib-etcd
              readOnly: true
@ -50,6 +53,9 @@ spec:
      hostPID: true
      restartPolicy: Never
      volumes:
+        - name: var-lib-cni
+          hostPath:
+            path: /var/lib/cni
        - hostPath:
            path: /var/lib/etcd
          name: var-lib-etcd