--- apiVersion: v1 kind: Namespace metadata: name: kube-bench --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: kube-bench name: kube-bench-sa namespace: kube-bench --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kube-bench name: kube-bench-cluster-role rules: - apiGroups: - '*' resources: - '*' verbs: - 'get' - 'list' - apiGroups: - '*' resources: - 'pods/exec' verbs: - 'create' - apiGroups: - '*' resources: - 'pods' - 'namespaces' verbs: - 'create' - 'delete' - 'watch' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kube-bench name: kube-bench-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kube-bench-cluster-role subjects: - kind: ServiceAccount name: kube-bench-sa # It is mandatory to give namespace here and it doesn't pick the one mentioned in kubeconfig file. namespace: kube-bench # In kube-bench pod for Openshift, oc cli creates random namespaces to deploy debug pods for CIS checks. # So, it will need privileged access. --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: kube-bench name: kube-bench-privileged roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:privileged subjects: - kind: ServiceAccount name: kube-bench-sa namespace: kube-bench --- apiVersion: batch/v1 kind: Job metadata: name: kube-bench namespace: kube-bench spec: template: metadata: labels: app: kube-bench spec: serviceAccountName: kube-bench-sa automountServiceAccountToken: true containers: - command: [ "kube-bench", "run", "--targets", "master,controlplane,node,etcd,policies", "--benchmark", "rh-1.6", ] image: docker.io/aquasec/kube-bench:latest name: kube-bench volumeMounts: - name: var-lib-cni mountPath: /var/lib/cni readOnly: true - mountPath: /var/lib/etcd name: var-lib-etcd readOnly: true - mountPath: /var/lib/kubelet name: var-lib-kubelet readOnly: true - mountPath: /var/lib/kube-scheduler name: var-lib-kube-scheduler readOnly: true - mountPath: /var/lib/kube-controller-manager name: var-lib-kube-controller-manager readOnly: true - mountPath: /etc/systemd name: etc-systemd readOnly: true - mountPath: /lib/systemd/ name: lib-systemd readOnly: true - mountPath: /srv/kubernetes/ name: srv-kubernetes readOnly: true - mountPath: /etc/kubernetes name: etc-kubernetes readOnly: true - mountPath: /usr/local/mount-from-host/bin name: usr-bin readOnly: true - mountPath: /etc/cni/net.d/ name: etc-cni-netd readOnly: true - mountPath: /opt/cni/bin/ name: opt-cni-bin readOnly: true - name: etc-passwd mountPath: /etc/passwd readOnly: true - name: etc-group mountPath: /etc/group readOnly: true hostPID: true restartPolicy: Never volumes: - name: var-lib-cni hostPath: path: /var/lib/cni - hostPath: path: /var/lib/etcd name: var-lib-etcd - hostPath: path: /var/lib/kubelet name: var-lib-kubelet - hostPath: path: /var/lib/kube-scheduler name: var-lib-kube-scheduler - hostPath: path: /var/lib/kube-controller-manager name: var-lib-kube-controller-manager - hostPath: path: /etc/systemd name: etc-systemd - hostPath: path: /lib/systemd name: lib-systemd - hostPath: path: /srv/kubernetes name: srv-kubernetes - hostPath: path: /etc/kubernetes name: etc-kubernetes - hostPath: path: /usr/bin name: usr-bin - hostPath: path: /etc/cni/net.d/ name: etc-cni-netd - hostPath: path: /opt/cni/bin/ name: opt-cni-bin - hostPath: path: "/etc/passwd" name: etc-passwd - hostPath: path: "/etc/group" name: etc-group