github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubebench/spec/eks.go (about) 1 package spec 2 3 import ( 4 "github.com/samber/lo" 5 batchv1 "k8s.io/api/batch/v1" 6 corev1 "k8s.io/api/core/v1" 7 "k8s.io/apimachinery/pkg/api/resource" 8 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 9 ) 10 11 func EKS(nodeName, jobName string) *batchv1.Job { 12 //https://raw.githubusercontent.com/aquasecurity/kube-bench/v0.6.9/job-eks.yaml 13 return &batchv1.Job{ 14 TypeMeta: metav1.TypeMeta{}, 15 ObjectMeta: metav1.ObjectMeta{ 16 Name: jobName, 17 Annotations: map[string]string{ 18 "autoscaling.cast.ai/disposable": "true", 19 }, 20 Labels: map[string]string{ 21 "app": "kube-bench", 22 "app.kubernetes.io/managed-by": "castai", 23 }, 24 }, 25 Spec: batchv1.JobSpec{ 26 BackoffLimit: lo.ToPtr(int32(0)), 27 Template: corev1.PodTemplateSpec{ 28 Spec: corev1.PodSpec{ 29 HostPID: true, 30 NodeName: nodeName, 31 RestartPolicy: "Never", 32 AutomountServiceAccountToken: lo.ToPtr(true), 33 Containers: []corev1.Container{ 34 { 35 Name: "kube-bench", 36 Image: "<placeholder>", 37 SecurityContext: &corev1.SecurityContext{ 38 ReadOnlyRootFilesystem: lo.ToPtr(false), 39 AllowPrivilegeEscalation: lo.ToPtr(false), 40 }, 41 Resources: corev1.ResourceRequirements{ 42 Requests: corev1.ResourceList{ 43 corev1.ResourceCPU: resource.MustParse(requestCPU), 44 corev1.ResourceMemory: resource.MustParse(requestMem), 45 }, 46 Limits: corev1.ResourceList{ 47 corev1.ResourceCPU: resource.MustParse(limitCPU), 48 corev1.ResourceMemory: resource.MustParse(limitMem), 49 }, 50 }, 51 Command: []string{ 52 "/usr/local/bin/kvisor-linter", 53 }, 54 Args: []string{ 55 "kube-bench", 56 "--config-dir", "/etc/kubebench-rules/", 57 "run", 58 "--targets", "node", 59 "--benchmark", "eks-1.3.0", 60 "--json", 61 }, 62 VolumeMounts: []corev1.VolumeMount{ 63 { 64 Name: "var-lib-kubelet", 65 MountPath: "/var/lib/kubelet", 66 ReadOnly: true, 67 }, 68 { 69 Name: "etc-systemd", 70 MountPath: "/etc/systemd", 71 ReadOnly: true, 72 }, 73 { 74 Name: "etc-kubernetes", 75 MountPath: "/etc/kubernetes", 76 ReadOnly: true, 77 }, 78 }, 79 }, 80 }, 81 Volumes: []corev1.Volume{ 82 { 83 Name: "var-lib-kubelet", 84 VolumeSource: corev1.VolumeSource{ 85 HostPath: &corev1.HostPathVolumeSource{ 86 Path: "/var/lib/kubelet", 87 }, 88 }, 89 }, 90 { 91 Name: "etc-systemd", 92 VolumeSource: corev1.VolumeSource{ 93 HostPath: &corev1.HostPathVolumeSource{ 94 Path: "/etc/systemd", 95 }, 96 }, 97 }, 98 { 99 Name: "etc-kubernetes", 100 VolumeSource: corev1.VolumeSource{ 101 HostPath: &corev1.HostPathVolumeSource{ 102 Path: "/etc/kubernetes", 103 }, 104 }, 105 }, 106 }, 107 }, 108 }, 109 }, 110 } 111 }