Skip to content

Instantly share code, notes, and snippets.

@rdemoraes

rdemoraes/kube-bench-gitlab-ci

Last active August 18, 2022 18:05
Show Gist options
  • Save rdemoraes/8f93d19d176939ac1cec2df2b910b5f2 to your computer and use it in GitHub Desktop.
Save rdemoraes/8f93d19d176939ac1cec2df2b910b5f2 to your computer and use it in GitHub Desktop.
Download ZIP
kube-bench-gitlab-ci
Raw
kube-bench-gitlab-ci
stages:
- kube-bench
Kube bench:
stage: kube-bench
environment:
name: dev
variables:
KUBE_BENCH_VERSION: v0.6.9
tags:
- devops
before_script:
- curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl"
- chmod +x kubectl && mv kubectl /usr/local/bin/
- |
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: kube-bench
namespace: default
spec:
hostPID: true
restartPolicy: Never
containers:
- name: kube-bench
stdin: true
tty: true
image: docker.io/aquasec/kube-bench:$KUBE_BENCH_VERSION
command: [ "sleep" ]
args: [ "infinity" ]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
EOF
script:
- kubectl -n default wait --timeout=120s --for=condition=Ready pod/kube-bench
- kubectl -n default exec -it kube-bench -- kube-bench run --targets node --benchmark eks-1.0.1 > kube-bench.out
- kubectl -n default delete pod kube-bench
artifacts:
paths:
- kube-bench.out
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment