---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-bench
  # If using a dedicated IAM role for kube-bench, uncomment the annotations
  # block below and replace the ROLE_ARN
  # annotations:
  #   eks.amazonaws.com/role-arn: "<ROLE_ARN>"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-bench-eks-config
data:
  config.yaml: |
    AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
    AWS_REGION: "<AWS_REGION>"
    CLUSTER_ARN: "<AWS_CLUSTER_ARN>"

---
apiVersion: batch/v1
kind: Job
metadata:
  name: kube-bench
spec:
  template:
    spec:
      hostPID: true
      containers:
        - name: kube-bench
          # Push the image to your ECR and then refer to it here
          # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
          image: aquasec/kube-bench:latest
          command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0", "--asff"]
          volumeMounts:
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
              readOnly: true
            - name: etc-systemd
              mountPath: /etc/systemd
              readOnly: true
            - name: etc-kubernetes
              mountPath: /etc/kubernetes
              readOnly: true
            - name: kube-bench-eks-config
              mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml"
              subPath: config.yaml
              readOnly: true
      restartPolicy: Never
      serviceAccountName: kube-bench
      volumes:
        - name: var-lib-kubelet
          hostPath:
            path: "/var/lib/kubelet"
        - name: etc-systemd
          hostPath:
            path: "/etc/systemd"
        - name: etc-kubernetes
          hostPath:
            path: "/etc/kubernetes"
        - name: kube-bench-eks-config
          configMap:
            name: kube-bench-eks-config
            items:
              - key: config.yaml
                path: config.yaml