github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubebench/spec/master.go (about) 1 package spec 2 3 import ( 4 "github.com/samber/lo" 5 batchv1 "k8s.io/api/batch/v1" 6 corev1 "k8s.io/api/core/v1" 7 "k8s.io/apimachinery/pkg/api/resource" 8 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 9 ) 10 11 const ( 12 limitCPU = "200m" 13 limitMem = "128Mi" 14 requestCPU = "10m" 15 requestMem = "64Mi" 16 ) 17 18 func Master(nodeName, jobName string) *batchv1.Job { 19 //https://raw.githubusercontent.com/aquasecurity/kube-bench/v0.6.9/job-master.yaml 20 return &batchv1.Job{ 21 TypeMeta: metav1.TypeMeta{}, 22 ObjectMeta: metav1.ObjectMeta{ 23 Name: jobName, 24 Annotations: map[string]string{ 25 "autoscaling.cast.ai/disposable": "true", 26 }, 27 Labels: map[string]string{ 28 "app": "kube-bench", 29 "app.kubernetes.io/managed-by": "castai", 30 }, 31 }, 32 Spec: batchv1.JobSpec{ 33 BackoffLimit: lo.ToPtr(int32(0)), 34 Template: corev1.PodTemplateSpec{ 35 Spec: corev1.PodSpec{ 36 HostPID: true, 37 // https://github.com/cloudnativelabs/kube-router/blob/master/daemonset/kube-router-proxy-daemonset.yaml#L102 38 Tolerations: []corev1.Toleration{ 39 { 40 Effect: "NoSchedule", 41 Operator: "Exists", 42 }, 43 { 44 Key: "CriticalAddonsOnly", 45 Operator: "Exists", 46 }, 47 { 48 Effect: "NoExecute", 49 Operator: "Exists", 50 }, 51 }, 52 NodeName: nodeName, 53 RestartPolicy: "Never", 54 AutomountServiceAccountToken: lo.ToPtr(true), 55 Containers: []corev1.Container{ 56 { 57 Name: "kube-bench", 58 Image: "<placeholder>", 59 SecurityContext: &corev1.SecurityContext{ 60 ReadOnlyRootFilesystem: lo.ToPtr(true), 61 AllowPrivilegeEscalation: lo.ToPtr(false), 62 }, 63 Resources: corev1.ResourceRequirements{ 64 Requests: corev1.ResourceList{ 65 corev1.ResourceCPU: resource.MustParse(requestCPU), 66 corev1.ResourceMemory: resource.MustParse(requestMem), 67 }, 68 Limits: corev1.ResourceList{ 69 corev1.ResourceCPU: resource.MustParse(limitCPU), 70 corev1.ResourceMemory: resource.MustParse(limitMem), 71 }, 72 }, 73 Command: []string{ 74 "/usr/local/bin/kvisor-linter", 75 }, 76 Args: []string{ 77 "kube-bench", 78 "--config-dir", "/etc/kubebench-rules/", 79 "run", 80 "--targets", "master", 81 "--json", 82 }, 83 VolumeMounts: []corev1.VolumeMount{ 84 { 85 Name: "var-lib-etcd", 86 MountPath: "/var/lib/etcd", 87 ReadOnly: true, 88 }, 89 { 90 Name: "var-lib-kubelet", 91 MountPath: "/var/lib/kubelet", 92 ReadOnly: true, 93 }, 94 { 95 Name: "var-lib-kube-scheduler", 96 MountPath: "/var/lib/kube-scheduler", 97 ReadOnly: true, 98 }, 99 { 100 Name: "var-lib-kube-controller-manager", 101 MountPath: "/var/lib/kube-controller-manager", 102 ReadOnly: true, 103 }, 104 { 105 Name: "etc-systemd", 106 MountPath: "/etc/systemd", 107 ReadOnly: true, 108 }, 109 { 110 Name: "lib-systemd", 111 MountPath: "/lib/systemd/", 112 ReadOnly: true, 113 }, 114 { 115 Name: "srv-kubernetes", 116 MountPath: "/srv/kubernetes/", 117 ReadOnly: true, 118 }, 119 { 120 Name: "etc-kubernetes", 121 MountPath: "/etc/kubernetes", 122 ReadOnly: true, 123 }, 124 // /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. 125 // You can omit this mount if you specify --version as part of the command. 126 { 127 Name: "usr-bin", 128 MountPath: "/usr/local/mount-from-host/bin", 129 ReadOnly: true, 130 }, 131 { 132 Name: "etc-cni-netd", 133 MountPath: "/etc/cni/net.d/", 134 ReadOnly: true, 135 }, 136 { 137 Name: "opt-cni-bin", 138 MountPath: "/opt/cni/bin/", 139 ReadOnly: true, 140 }, 141 { 142 Name: "etc-passwd", 143 MountPath: "/etc/passwd", 144 ReadOnly: true, 145 }, 146 { 147 Name: "etc-group", 148 MountPath: "/etc/group", 149 ReadOnly: true, 150 }, 151 }, 152 }, 153 }, 154 Volumes: []corev1.Volume{ 155 { 156 Name: "var-lib-etcd", 157 VolumeSource: corev1.VolumeSource{ 158 HostPath: &corev1.HostPathVolumeSource{ 159 Path: "/var/lib/etcd", 160 }, 161 }, 162 }, 163 { 164 Name: "var-lib-kubelet", 165 VolumeSource: corev1.VolumeSource{ 166 HostPath: &corev1.HostPathVolumeSource{ 167 Path: "/var/lib/kubelet", 168 }, 169 }, 170 }, 171 { 172 Name: "var-lib-kube-scheduler", 173 VolumeSource: corev1.VolumeSource{ 174 HostPath: &corev1.HostPathVolumeSource{ 175 Path: "/var/lib/kube-scheduler", 176 }, 177 }, 178 }, 179 { 180 Name: "var-lib-kube-controller-manager", 181 VolumeSource: corev1.VolumeSource{ 182 HostPath: &corev1.HostPathVolumeSource{ 183 Path: "/var/lib/kube-controller-manager", 184 }, 185 }, 186 }, 187 { 188 Name: "etc-systemd", 189 VolumeSource: corev1.VolumeSource{ 190 HostPath: &corev1.HostPathVolumeSource{ 191 Path: "/etc/systemd", 192 }, 193 }, 194 }, 195 { 196 Name: "lib-systemd", 197 VolumeSource: corev1.VolumeSource{ 198 HostPath: &corev1.HostPathVolumeSource{ 199 Path: "/lib/systemd", 200 }, 201 }, 202 }, 203 { 204 Name: "srv-kubernetes", 205 VolumeSource: corev1.VolumeSource{ 206 HostPath: &corev1.HostPathVolumeSource{ 207 Path: "/srv/kubernetes", 208 }, 209 }, 210 }, 211 { 212 Name: "etc-kubernetes", 213 VolumeSource: corev1.VolumeSource{ 214 HostPath: &corev1.HostPathVolumeSource{ 215 Path: "/etc/kubernetes", 216 }, 217 }, 218 }, 219 { 220 Name: "usr-bin", 221 VolumeSource: corev1.VolumeSource{ 222 HostPath: &corev1.HostPathVolumeSource{ 223 Path: "/usr/bin", 224 }, 225 }, 226 }, 227 { 228 Name: "etc-cni-netd", 229 VolumeSource: corev1.VolumeSource{ 230 HostPath: &corev1.HostPathVolumeSource{ 231 Path: "/etc/cni/net.d/", 232 }, 233 }, 234 }, 235 { 236 Name: "opt-cni-bin", 237 VolumeSource: corev1.VolumeSource{ 238 HostPath: &corev1.HostPathVolumeSource{ 239 Path: "/opt/cni/bin/", 240 }, 241 }, 242 }, 243 { 244 Name: "etc-passwd", 245 VolumeSource: corev1.VolumeSource{ 246 HostPath: &corev1.HostPathVolumeSource{ 247 Path: "/etc/passwd", 248 }, 249 }, 250 }, 251 { 252 Name: "etc-group", 253 VolumeSource: corev1.VolumeSource{ 254 HostPath: &corev1.HostPathVolumeSource{ 255 Path: "/etc/group", 256 }, 257 }, 258 }, 259 }, 260 }, 261 }, 262 }, 263 } 264 }