mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-18 20:58:10 +00:00
77f66511e7
By setting all host-mounted volumes to be read-only we reduce the likelihood any host filesystem is modified by running kube-bench.
38 lines
970 B
YAML
38 lines
970 B
YAML
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: kube-bench
|
|
spec:
|
|
template:
|
|
spec:
|
|
hostPID: true
|
|
containers:
|
|
- name: kube-bench
|
|
image: aquasec/kube-bench:latest
|
|
command: ["kube-bench", "--version", "1.13", "node"]
|
|
volumeMounts:
|
|
- name: var-lib-kubelet
|
|
mountPath: /var/lib/kubelet
|
|
readOnly: true
|
|
- name: etc-systemd
|
|
mountPath: /etc/systemd
|
|
readOnly: true
|
|
- name: etc-kubernetes
|
|
mountPath: /etc/kubernetes
|
|
readOnly: true
|
|
restartPolicy: Never
|
|
volumes:
|
|
- name: var-lib-kubelet
|
|
hostPath:
|
|
path: "/var/lib/kubelet"
|
|
- name: etc-systemd
|
|
hostPath:
|
|
path: "/lib/systemd"
|
|
- name: etc-kubernetes
|
|
hostPath:
|
|
path: "/etc/kubernetes"
|
|
- name: usr-bin
|
|
hostPath:
|
|
path: "/usr/bin"
|