github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubebench/spec/node.go

github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/cmd/controller/state/kubebench/spec/node.go (about)

     1  package spec
     2  
     3  import (
     4  	"github.com/samber/lo"
     5  	batchv1 "k8s.io/api/batch/v1"
     6  	corev1 "k8s.io/api/core/v1"
     7  	"k8s.io/apimachinery/pkg/api/resource"
     8  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
     9  )
    10  
    11  func Node(nodeName, jobName string) *batchv1.Job {
    12  	//https://raw.githubusercontent.com/aquasecurity/kube-bench/v0.6.9/job-node.yaml
    13  	return &batchv1.Job{
    14  		TypeMeta: metav1.TypeMeta{},
    15  		ObjectMeta: metav1.ObjectMeta{
    16  			Name: jobName,
    17  			Annotations: map[string]string{
    18  				"autoscaling.cast.ai/disposable": "true",
    19  			},
    20  			Labels: map[string]string{
    21  				"app":                          "kube-bench",
    22  				"app.kubernetes.io/managed-by": "castai",
    23  			},
    24  		},
    25  		Spec: batchv1.JobSpec{
    26  			BackoffLimit: lo.ToPtr(int32(0)),
    27  			Template: corev1.PodTemplateSpec{
    28  				Spec: corev1.PodSpec{
    29  					HostPID:                      true,
    30  					NodeName:                     nodeName,
    31  					RestartPolicy:                "Never",
    32  					AutomountServiceAccountToken: lo.ToPtr(true),
    33  					Containers: []corev1.Container{
    34  						{
    35  							Name:  "kube-bench",
    36  							Image: "<placeholder>",
    37  							SecurityContext: &corev1.SecurityContext{
    38  								ReadOnlyRootFilesystem:   lo.ToPtr(true),
    39  								AllowPrivilegeEscalation: lo.ToPtr(false),
    40  							},
    41  							Resources: corev1.ResourceRequirements{
    42  								Requests: corev1.ResourceList{
    43  									corev1.ResourceCPU:    resource.MustParse(requestCPU),
    44  									corev1.ResourceMemory: resource.MustParse(requestMem),
    45  								},
    46  								Limits: corev1.ResourceList{
    47  									corev1.ResourceCPU:    resource.MustParse(limitCPU),
    48  									corev1.ResourceMemory: resource.MustParse(limitMem),
    49  								},
    50  							},
    51  							Command: []string{
    52  								"/usr/local/bin/kvisor-linter",
    53  							},
    54  							Args: []string{
    55  								"kube-bench",
    56  								"--config-dir", "/etc/kubebench-rules/",
    57  								"run",
    58  								"--targets",
    59  								"node",
    60  								"--json",
    61  							},
    62  							VolumeMounts: []corev1.VolumeMount{
    63  								{
    64  									Name:      "var-lib-etcd",
    65  									MountPath: "/var/lib/etcd",
    66  									ReadOnly:  true,
    67  								},
    68  								{
    69  									Name:      "var-lib-kubelet",
    70  									MountPath: "/var/lib/kubelet",
    71  									ReadOnly:  true,
    72  								},
    73  								{
    74  									Name:      "var-lib-kube-scheduler",
    75  									MountPath: "/var/lib/kube-scheduler",
    76  									ReadOnly:  true,
    77  								},
    78  								{
    79  									Name:      "var-lib-kube-controller-manager",
    80  									MountPath: "/var/lib/kube-controller-manager",
    81  									ReadOnly:  true,
    82  								},
    83  								{
    84  									Name:      "etc-systemd",
    85  									MountPath: "/etc/systemd",
    86  									ReadOnly:  true,
    87  								},
    88  								{
    89  									Name:      "lib-systemd",
    90  									MountPath: "/lib/systemd/",
    91  									ReadOnly:  true,
    92  								},
    93  								{
    94  									Name:      "srv-kubernetes",
    95  									MountPath: "/srv/kubernetes/",
    96  									ReadOnly:  true,
    97  								},
    98  								{
    99  									Name:      "etc-kubernetes",
   100  									MountPath: "/etc/kubernetes",
   101  									ReadOnly:  true,
   102  								},
   103  								// /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
   104  								// You can omit this mount if you specify --version as part of the command.
   105  								{
   106  									Name:      "usr-bin",
   107  									MountPath: "/usr/local/mount-from-host/bin",
   108  									ReadOnly:  true,
   109  								},
   110  								{
   111  									Name:      "etc-cni-netd",
   112  									MountPath: "/etc/cni/net.d/",
   113  									ReadOnly:  true,
   114  								},
   115  								{
   116  									Name:      "opt-cni-bin",
   117  									MountPath: "/opt/cni/bin/",
   118  									ReadOnly:  true,
   119  								},
   120  							},
   121  						},
   122  					},
   123  					Volumes: []corev1.Volume{
   124  						{
   125  							Name: "var-lib-etcd",
   126  							VolumeSource: corev1.VolumeSource{
   127  								HostPath: &corev1.HostPathVolumeSource{
   128  									Path: "/var/lib/etcd",
   129  								},
   130  							},
   131  						},
   132  						{
   133  							Name: "var-lib-kubelet",
   134  							VolumeSource: corev1.VolumeSource{
   135  								HostPath: &corev1.HostPathVolumeSource{
   136  									Path: "/var/lib/kubelet",
   137  								},
   138  							},
   139  						},
   140  						{
   141  							Name: "var-lib-kube-scheduler",
   142  							VolumeSource: corev1.VolumeSource{
   143  								HostPath: &corev1.HostPathVolumeSource{
   144  									Path: "/var/lib/kube-scheduler",
   145  								},
   146  							},
   147  						},
   148  						{
   149  							Name: "var-lib-kube-controller-manager",
   150  							VolumeSource: corev1.VolumeSource{
   151  								HostPath: &corev1.HostPathVolumeSource{
   152  									Path: "/var/lib/kube-controller-manager",
   153  								},
   154  							},
   155  						},
   156  						{
   157  							Name: "etc-systemd",
   158  							VolumeSource: corev1.VolumeSource{
   159  								HostPath: &corev1.HostPathVolumeSource{
   160  									Path: "/etc/systemd",
   161  								},
   162  							},
   163  						},
   164  						{
   165  							Name: "lib-systemd",
   166  							VolumeSource: corev1.VolumeSource{
   167  								HostPath: &corev1.HostPathVolumeSource{
   168  									Path: "/lib/systemd",
   169  								},
   170  							},
   171  						},
   172  						{
   173  							Name: "srv-kubernetes",
   174  							VolumeSource: corev1.VolumeSource{
   175  								HostPath: &corev1.HostPathVolumeSource{
   176  									Path: "/srv/kubernetes",
   177  								},
   178  							},
   179  						},
   180  						{
   181  							Name: "etc-kubernetes",
   182  							VolumeSource: corev1.VolumeSource{
   183  								HostPath: &corev1.HostPathVolumeSource{
   184  									Path: "/etc/kubernetes",
   185  								},
   186  							},
   187  						},
   188  						{
   189  							Name: "usr-bin",
   190  							VolumeSource: corev1.VolumeSource{
   191  								HostPath: &corev1.HostPathVolumeSource{
   192  									Path: "/usr/bin",
   193  								},
   194  							},
   195  						},
   196  						{
   197  							Name: "etc-cni-netd",
   198  							VolumeSource: corev1.VolumeSource{
   199  								HostPath: &corev1.HostPathVolumeSource{
   200  									Path: "/etc/cni/net.d/",
   201  								},
   202  							},
   203  						},
   204  						{
   205  							Name: "opt-cni-bin",
   206  							VolumeSource: corev1.VolumeSource{
   207  								HostPath: &corev1.HostPathVolumeSource{
   208  									Path: "/opt/cni/bin/",
   209  								},
   210  							},
   211  						},
   212  					},
   213  				},
   214  			},
   215  		},
   216  	}
   217  }