arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-03-06 18:16:14 +00:00
Code Issues Releases Wiki Activity
4ba6a0cfda
kube-bench/job-ocp.yaml
Deepanshu Bhatia 4ba6a0cfda Add command with ocp benchmark selected
2025-01-30 03:11:42 +05:30

192 lines
4.7 KiB
YAML
Raw Blame History

---
apiVersion: v1
kind: Namespace
metadata:
name: kube-bench
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: kube-bench
name: kube-bench-sa
namespace: kube-bench
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kube-bench
name: kube-bench-cluster-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- 'get'
- 'list'
- apiGroups:
- '*'
resources:
- 'pods/exec'
verbs:
- 'create'
- apiGroups:
- '*'
resources:
- 'pods'
- 'namespaces'
verbs:
- 'create'
- 'delete'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kube-bench
name: kube-bench-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-bench-cluster-role
subjects:
- kind: ServiceAccount
name: kube-bench-sa
# It is mandatory to give namespace here and it doesn't pick the one mentioned in kubeconfig file.
namespace: kube-bench
# In kube-bench pod for Openshift, oc cli creates random namespaces to deploy debug pods for CIS checks.
# So, it will need privileged access.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kube-bench
name: kube-bench-privileged
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:scc:privileged
subjects:
- kind: ServiceAccount
name: kube-bench-sa
namespace: kube-bench
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
namespace: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
serviceAccountName: kube-bench-sa
automountServiceAccountToken: true
containers:
- command:
[
"kube-bench",
"run",
"--targets",
"master,controlplane,node,etcd,policies",
"--benchmark",
"rh-1.6",
]
image: docker.io/aquasec/kube-bench:latest
name: kube-bench
volumeMounts:
- name: var-lib-cni
mountPath: /var/lib/cni
readOnly: true
- mountPath: /var/lib/etcd
name: var-lib-etcd
readOnly: true
- mountPath: /var/lib/kubelet
name: var-lib-kubelet
readOnly: true
- mountPath: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
readOnly: true
- mountPath: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
readOnly: true
- mountPath: /etc/systemd
name: etc-systemd
readOnly: true
- mountPath: /lib/systemd/
name: lib-systemd
readOnly: true
- mountPath: /srv/kubernetes/
name: srv-kubernetes
readOnly: true
- mountPath: /etc/kubernetes
name: etc-kubernetes
readOnly: true
- mountPath: /usr/local/mount-from-host/bin
name: usr-bin
readOnly: true
- mountPath: /etc/cni/net.d/
name: etc-cni-netd
readOnly: true
- mountPath: /opt/cni/bin/
name: opt-cni-bin
readOnly: true
- name: etc-passwd
mountPath: /etc/passwd
readOnly: true
- name: etc-group
mountPath: /etc/group
readOnly: true
hostPID: true
restartPolicy: Never
volumes:
- name: var-lib-cni
hostPath:
path: /var/lib/cni
- hostPath:
path: /var/lib/etcd
name: var-lib-etcd
- hostPath:
path: /var/lib/kubelet
name: var-lib-kubelet
- hostPath:
path: /var/lib/kube-scheduler
name: var-lib-kube-scheduler
- hostPath:
path: /var/lib/kube-controller-manager
name: var-lib-kube-controller-manager
- hostPath:
path: /etc/systemd
name: etc-systemd
- hostPath:
path: /lib/systemd
name: lib-systemd
- hostPath:
path: /srv/kubernetes
name: srv-kubernetes
- hostPath:
path: /etc/kubernetes
name: etc-kubernetes
- hostPath:
path: /usr/bin
name: usr-bin
- hostPath:
path: /etc/cni/net.d/
name: etc-cni-netd
- hostPath:
path: /opt/cni/bin/
name: opt-cni-bin
- hostPath:
path: "/etc/passwd"
name: etc-passwd
- hostPath:
path: "/etc/group"
name: etc-group
Reference in New Issue View Git Blame Copy Permalink