github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubebench/spec/gke.go (about) 1 package spec 2 3 import ( 4 "github.com/samber/lo" 5 batchv1 "k8s.io/api/batch/v1" 6 corev1 "k8s.io/api/core/v1" 7 "k8s.io/apimachinery/pkg/api/resource" 8 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 9 ) 10 11 func GKE(nodeName, jobName string) *batchv1.Job { 12 //https://raw.githubusercontent.com/aquasecurity/kube-bench/v0.6.9/job-gke.yaml 13 return &batchv1.Job{ 14 TypeMeta: metav1.TypeMeta{}, 15 ObjectMeta: metav1.ObjectMeta{ 16 Name: jobName, 17 Annotations: map[string]string{ 18 "autoscaling.cast.ai/disposable": "true", 19 }, 20 Labels: map[string]string{ 21 "app": "kube-bench", 22 "app.kubernetes.io/managed-by": "castai", 23 }, 24 }, 25 Spec: batchv1.JobSpec{ 26 BackoffLimit: lo.ToPtr(int32(0)), 27 Template: corev1.PodTemplateSpec{ 28 Spec: corev1.PodSpec{ 29 HostPID: true, 30 NodeName: nodeName, 31 RestartPolicy: "Never", 32 AutomountServiceAccountToken: lo.ToPtr(true), 33 Containers: []corev1.Container{ 34 { 35 Name: "kube-bench", 36 Image: "<placeholder>", 37 SecurityContext: &corev1.SecurityContext{ 38 ReadOnlyRootFilesystem: lo.ToPtr(true), 39 AllowPrivilegeEscalation: lo.ToPtr(false), 40 }, 41 Resources: corev1.ResourceRequirements{ 42 Requests: corev1.ResourceList{ 43 corev1.ResourceCPU: resource.MustParse(requestCPU), 44 corev1.ResourceMemory: resource.MustParse(requestMem), 45 }, 46 Limits: corev1.ResourceList{ 47 corev1.ResourceCPU: resource.MustParse(limitCPU), 48 corev1.ResourceMemory: resource.MustParse(limitMem), 49 }, 50 }, 51 Command: []string{ 52 "/usr/local/bin/kvisor-linter", 53 }, 54 Args: []string{ 55 "kube-bench", 56 "--config-dir", "/etc/kubebench-rules/", 57 "run", 58 "--targets", 59 "node,policies,managedservices", 60 "--benchmark", "gke-1.4.0", 61 "--json", 62 }, 63 VolumeMounts: []corev1.VolumeMount{ 64 { 65 Name: "var-lib-kubelet", 66 MountPath: "/var/lib/kubelet", 67 ReadOnly: true, 68 }, 69 { 70 Name: "etc-systemd", 71 MountPath: "/etc/systemd", 72 ReadOnly: true, 73 }, 74 { 75 Name: "etc-kubernetes", 76 MountPath: "/etc/kubernetes", 77 ReadOnly: true, 78 }, 79 { 80 Name: "home-kubernetes", 81 MountPath: "/home/kubernetes", 82 ReadOnly: true, 83 }, 84 }, 85 }, 86 }, 87 Volumes: []corev1.Volume{ 88 { 89 Name: "var-lib-kubelet", 90 VolumeSource: corev1.VolumeSource{ 91 HostPath: &corev1.HostPathVolumeSource{ 92 Path: "/var/lib/kubelet", 93 }, 94 }, 95 }, 96 { 97 Name: "etc-systemd", 98 VolumeSource: corev1.VolumeSource{ 99 HostPath: &corev1.HostPathVolumeSource{ 100 Path: "/etc/systemd", 101 }, 102 }, 103 }, 104 { 105 Name: "etc-kubernetes", 106 VolumeSource: corev1.VolumeSource{ 107 HostPath: &corev1.HostPathVolumeSource{ 108 Path: "/etc/kubernetes", 109 }, 110 }, 111 }, 112 { 113 Name: "home-kubernetes", 114 VolumeSource: corev1.VolumeSource{ 115 HostPath: &corev1.HostPathVolumeSource{ 116 Path: "/home/kubernetes", 117 }, 118 }, 119 }, 120 }, 121 }, 122 }, 123 }, 124 } 125 }