Update k8s/kube-bench.yml

variables:

  KUBE_BENCH_VERSION: main  # Or use for example v0.6.7 from the available tags on https://github.com/aquasecurity/kube-bench/tags

  KUBE_BENCH_MANIFEST: https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml

  # KUBE_BENCH_JOB_NAME: kube-bench  # Needs to match the metadata name in the job manifest

k8s:kube-bench:prepare:

  stage: .pre

    - apk add --no-cache yq

    - wget -O job.yaml ${KUBE_BENCH_MANIFEST}

    - yq eval -i '.spec.template.spec.containers[0].command = ["kube-bench", "--junit", "--alsologtostderr", "--outputfile", "kube-bench.xml"]' job.yaml

    - echo "KUBE_BENCH_NAME=$(yq eval .metadata.name job.yaml)" > KUBE_BENCH_NAME.env

  artifacts:

    paths:

      - job.yaml

    reports:

      dotenv: KUBE_BENCH_NAME.env

k8s:kube-bench:

  stage: test

    - kubectl delete -f job.yaml --ignore-not-found=true

    - kubectl apply -f job.yaml

    - kubectl wait -f job.yaml --for=condition=complete=true

    # - kubectl logs -f jobs/${KUBE_BENCH_JOB_NAME}

    - kubectl delete -f job.yaml --ignore-not-found=true

    - kubectl logs -f jobs/${KUBE_BENCH_NAME}

    - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f job.yaml --ignore-not-found=true; fi

  needs: ["k8s:kube-bench:prepare"]

  artifacts:

    reports: