From faeceb5dfa346c788c5daa6b8efe26cb591f233b Mon Sep 17 00:00:00 2001
From: Andrey Polovov <andrey.polovov@flant.com>
Date: Sun, 11 Feb 2024 12:23:17 +0300
Subject: [PATCH] job.yaml: Adding /var/lib/cni mounts for proper CIS 1.1.9 and
 1.1.0 checking (#1547)

Signed-off-by: Andrey Polovov <andrey.polovov@flant.com>
Signed-off-by: Andrey Pavlov <andrey.pavlov@flant.com>
Co-authored-by: Andrey Pavlov <andrey.pavlov@flant.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
---
 job-master.yaml | 6 ++++++
 job-node.yaml   | 6 ++++++
 job.yaml        | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/job-master.yaml b/job-master.yaml
index 34f24f2..4df64d3 100644
--- a/job-master.yaml
+++ b/job-master.yaml
@@ -29,6 +29,9 @@ spec:
           image: docker.io/aquasec/kube-bench:latest
           command: ["kube-bench", "run", "--targets", "master"]
           volumeMounts:
+            - name: var-lib-cni
+              mountPath: /var/lib/cni
+              readOnly: true
             - name: var-lib-etcd
               mountPath: /var/lib/etcd
               readOnly: true
@@ -72,6 +75,9 @@ spec:
               readOnly: true
       restartPolicy: Never
       volumes:
+        - name: var-lib-cni
+          hostPath:
+            path: "/var/lib/cni"
         - name: var-lib-etcd
           hostPath:
             path: "/var/lib/etcd"
diff --git a/job-node.yaml b/job-node.yaml
index 0e6f9a9..1aa7023 100644
--- a/job-node.yaml
+++ b/job-node.yaml
@@ -12,6 +12,9 @@ spec:
           image: docker.io/aquasec/kube-bench:latest
           command: ["kube-bench", "run", "--targets", "node"]
           volumeMounts:
+            - name: var-lib-cni
+              mountPath: /var/lib/cni
+              readOnly: true
             - name: var-lib-etcd
               mountPath: /var/lib/etcd
               readOnly: true
@@ -49,6 +52,9 @@ spec:
               readOnly: true
       restartPolicy: Never
       volumes:
+        - name: var-lib-cni
+          hostPath:
+            path: "/var/lib/cni"
         - name: var-lib-etcd
           hostPath:
             path: "/var/lib/etcd"
diff --git a/job.yaml b/job.yaml
index 95654ac..049f305 100644
--- a/job.yaml
+++ b/job.yaml
@@ -14,6 +14,9 @@ spec:
           image: docker.io/aquasec/kube-bench:v0.7.1
           name: kube-bench
           volumeMounts:
+            - name: var-lib-cni
+              mountPath: /var/lib/cni
+              readOnly: true
             - mountPath: /var/lib/etcd
               name: var-lib-etcd
               readOnly: true
@@ -50,6 +53,9 @@ spec:
       hostPID: true
       restartPolicy: Never
       volumes:
+        - name: var-lib-cni
+          hostPath:
+            path: /var/lib/cni
         - hostPath:
             path: /var/lib/etcd
           name: var-lib-etcd