--- apiVersion: v1 kind: ServiceAccount metadata: name: kube-bench # If using a dedicated IAM role for kube-bench, uncomment the annotations # block below and replace the ROLE_ARN # annotations: # eks.amazonaws.com/role-arn: "" --- apiVersion: v1 kind: ConfigMap metadata: name: kube-bench-eks-config data: config.yaml: | AWS_ACCOUNT: "" AWS_REGION: "" CLUSTER_ARN: "" --- apiVersion: batch/v1 kind: Job metadata: name: kube-bench spec: template: spec: hostPID: true containers: - name: kube-bench # Push the image to your ECR and then refer to it here # image: image: docker.io/aquasec/kube-bench:latest command: [ "kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.2.0", "--asff", ] env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true - name: etc-systemd mountPath: /etc/systemd readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true - name: kube-bench-eks-config mountPath: "/opt/kube-bench/cfg/eks-1.2.0/config.yaml" subPath: config.yaml readOnly: true restartPolicy: Never serviceAccountName: kube-bench volumes: - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" - name: etc-systemd hostPath: path: "/etc/systemd" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: kube-bench-eks-config configMap: name: kube-bench-eks-config items: - key: config.yaml path: config.yaml