github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubebench/spec/aks.go (about) 1 package spec 2 3 import ( 4 "github.com/samber/lo" 5 batchv1 "k8s.io/api/batch/v1" 6 corev1 "k8s.io/api/core/v1" 7 "k8s.io/apimachinery/pkg/api/resource" 8 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 9 ) 10 11 func AKS(nodeName, jobName string) *batchv1.Job { 12 //https://raw.githubusercontent.com/aquasecurity/kube-bench/v0.6.9/job-aks.yaml 13 return &batchv1.Job{ 14 TypeMeta: metav1.TypeMeta{}, 15 ObjectMeta: metav1.ObjectMeta{ 16 Name: jobName, 17 Annotations: map[string]string{ 18 "autoscaling.cast.ai/disposable": "true", 19 }, 20 Labels: map[string]string{ 21 "app": "kube-bench", 22 "app.kubernetes.io/managed-by": "castai", 23 }, 24 }, 25 Spec: batchv1.JobSpec{ 26 BackoffLimit: lo.ToPtr(int32(0)), 27 Template: corev1.PodTemplateSpec{ 28 Spec: corev1.PodSpec{ 29 HostPID: true, 30 NodeName: nodeName, 31 RestartPolicy: "Never", 32 AutomountServiceAccountToken: lo.ToPtr(true), 33 Containers: []corev1.Container{ 34 { 35 Name: "kube-bench", 36 Image: "<placeholder>", 37 SecurityContext: &corev1.SecurityContext{ 38 ReadOnlyRootFilesystem: lo.ToPtr(false), 39 AllowPrivilegeEscalation: lo.ToPtr(false), 40 }, 41 Resources: corev1.ResourceRequirements{ 42 Requests: corev1.ResourceList{ 43 corev1.ResourceCPU: resource.MustParse(requestCPU), 44 corev1.ResourceMemory: resource.MustParse(requestMem), 45 }, 46 Limits: corev1.ResourceList{ 47 corev1.ResourceCPU: resource.MustParse(limitCPU), 48 corev1.ResourceMemory: resource.MustParse(limitMem), 49 }, 50 }, 51 Command: []string{ 52 "/usr/local/bin/kvisor-linter", 53 }, 54 Args: []string{ 55 "kube-bench", 56 "--config-dir", "/etc/kubebench-rules/", 57 "run", 58 "--targets", "node", 59 "--benchmark", "aks-1.3", 60 "--json", 61 }, 62 VolumeMounts: []corev1.VolumeMount{ 63 { 64 Name: "var-lib-kubelet", 65 MountPath: "/var/lib/kubelet", 66 ReadOnly: true, 67 }, 68 { 69 Name: "etc-systemd", 70 MountPath: "/etc/systemd", 71 ReadOnly: true, 72 }, 73 { 74 Name: "etc-default", 75 MountPath: "/etc/default", 76 ReadOnly: true, 77 }, 78 { 79 Name: "etc-kubernetes", 80 MountPath: "/etc/kubernetes", 81 ReadOnly: true, 82 }, 83 }, 84 }, 85 }, 86 Volumes: []corev1.Volume{ 87 { 88 Name: "var-lib-kubelet", 89 VolumeSource: corev1.VolumeSource{ 90 HostPath: &corev1.HostPathVolumeSource{ 91 Path: "/var/lib/kubelet", 92 }, 93 }, 94 }, 95 { 96 Name: "etc-systemd", 97 VolumeSource: corev1.VolumeSource{ 98 HostPath: &corev1.HostPathVolumeSource{ 99 Path: "/etc/systemd", 100 }, 101 }, 102 }, 103 { 104 Name: "etc-default", 105 VolumeSource: corev1.VolumeSource{ 106 HostPath: &corev1.HostPathVolumeSource{ 107 Path: "/etc/default", 108 }, 109 }, 110 }, 111 { 112 Name: "etc-kubernetes", 113 VolumeSource: corev1.VolumeSource{ 114 HostPath: &corev1.HostPathVolumeSource{ 115 Path: "/etc/kubernetes", 116 }, 117 }, 118 }, 119 }, 120 }, 121 }, 122 }, 123 } 124 }