--- apiVersion: v1 kind: ServiceAccount metadata: name: kube-bench # If using a dedicated IAM role for kube-bench, uncomment the annotations # block below and replace the ROLE_ARN # annotations: # eks.amazonaws.com/role-arn: "<ROLE_ARN>" --- apiVersion: v1 kind: ConfigMap metadata: name: kube-bench-eks-config data: config.yaml: | AWS_ACCOUNT: "<AWS_ACCT_NUMBER>" AWS_REGION: "<AWS_REGION>" CLUSTER_ARN: "<AWS_CLUSTER_ARN>" --- apiVersion: batch/v1 kind: Job metadata: name: kube-bench spec: template: spec: hostPID: true containers: - name: kube-bench # Push the image to your ECR and then refer to it here # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref> image: aquasec/kube-bench:latest command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0", "--asff"] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true - name: etc-systemd mountPath: /etc/systemd readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true - name: kube-bench-eks-config mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml" subPath: config.yaml readOnly: true restartPolicy: Never serviceAccountName: kube-bench volumes: - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" - name: etc-systemd hostPath: path: "/etc/systemd" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: kube-bench-eks-config configMap: name: kube-bench-eks-config items: - key: config.yaml path: config.yaml