mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-15 20:39:08 +00:00
77f66511e7
By setting all host-mounted volumes to be read-only we reduce the likelihood any host filesystem is modified by running kube-bench.
36 lines
985 B
YAML
36 lines
985 B
YAML
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: kube-bench
|
|
spec:
|
|
template:
|
|
spec:
|
|
hostPID: true
|
|
containers:
|
|
- name: kube-bench
|
|
# Push the image to your ECR and then refer to it here
|
|
image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
|
command: ["kube-bench", "--version", "1.11"]
|
|
volumeMounts:
|
|
- name: var-lib-kubelet
|
|
mountPath: /var/lib/kubelet
|
|
readOnly: true
|
|
- name: etc-systemd
|
|
mountPath: /etc/systemd
|
|
readOnly: true
|
|
- name: etc-kubernetes
|
|
mountPath: /etc/kubernetes
|
|
readOnly: true
|
|
restartPolicy: Never
|
|
volumes:
|
|
- name: var-lib-kubelet
|
|
hostPath:
|
|
path: "/var/lib/kubelet"
|
|
- name: etc-systemd
|
|
hostPath:
|
|
path: "/etc/systemd"
|
|
- name: etc-kubernetes
|
|
hostPath:
|
|
path: "/etc/kubernetes"
|