Loading k8s/kube-bench.yml +11 −12 Original line number Diff line number Diff line --- variables: KUBE_BENCH_VERSION: main # Or use for example v0.6.7 from the available tags on https://github.com/aquasecurity/kube-bench/tags KUBE_BENCH_MANIFEST: https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml KUBE_BENCH_MANIFEST_SOURCE: https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml KUBE_BENCH_MANIFEST: kube-bench/job.yaml k8s:kube-bench:prepare: stage: .pre image: alpine:latest variables: GIT_STRATEGY: none script: - apk add --no-cache yq - wget -O job.yaml ${KUBE_BENCH_MANIFEST} - yq eval -i '.spec.template.spec.containers[0].command = ["kube-bench", "--junit", "--alsologtostderr", "--outputfile", "kube-bench.xml"]' job.yaml - echo "KUBE_BENCH_NAME=$(yq eval .metadata.name job.yaml)" > KUBE_BENCH_NAME.env - if ! test -f ${KUBE_BENCH_MANIFEST}; then wget -O ${KUBE_BENCH_MANIFEST} ${KUBE_BENCH_MANIFEST_SOURCE}; fi - yq eval -i '.spec.template.spec.containers[0].command = ["kube-bench", "--junit"]' ${KUBE_BENCH_MANIFEST} - echo "KUBE_BENCH_NAME=$(yq eval .metadata.name ${KUBE_BENCH_MANIFEST})" > KUBE_BENCH_NAME.env artifacts: paths: - job.yaml - ${KUBE_BENCH_MANIFEST} reports: dotenv: KUBE_BENCH_NAME.env Loading @@ -26,11 +25,11 @@ k8s:kube-bench: GIT_STRATEGY: none script: - gl-use-kube-context - kubectl delete -f job.yaml --ignore-not-found=true - kubectl apply -f job.yaml - kubectl wait -f job.yaml --for=condition=complete=true - kubectl logs -f jobs/${KUBE_BENCH_NAME} - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f job.yaml --ignore-not-found=true; fi - kubectl delete -f ${KUBE_BENCH_MANIFEST} --ignore-not-found=true - kubectl apply -f ${KUBE_BENCH_MANIFEST} - kubectl wait -f ${KUBE_BENCH_MANIFEST} --for=condition=complete=true - kubectl logs -f jobs/${KUBE_BENCH_NAME} > kube-bench.xml - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f ${KUBE_BENCH_MANIFEST}; fi needs: ["k8s:kube-bench:prepare"] artifacts: reports: Loading Loading
k8s/kube-bench.yml +11 −12 Original line number Diff line number Diff line --- variables: KUBE_BENCH_VERSION: main # Or use for example v0.6.7 from the available tags on https://github.com/aquasecurity/kube-bench/tags KUBE_BENCH_MANIFEST: https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml KUBE_BENCH_MANIFEST_SOURCE: https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml KUBE_BENCH_MANIFEST: kube-bench/job.yaml k8s:kube-bench:prepare: stage: .pre image: alpine:latest variables: GIT_STRATEGY: none script: - apk add --no-cache yq - wget -O job.yaml ${KUBE_BENCH_MANIFEST} - yq eval -i '.spec.template.spec.containers[0].command = ["kube-bench", "--junit", "--alsologtostderr", "--outputfile", "kube-bench.xml"]' job.yaml - echo "KUBE_BENCH_NAME=$(yq eval .metadata.name job.yaml)" > KUBE_BENCH_NAME.env - if ! test -f ${KUBE_BENCH_MANIFEST}; then wget -O ${KUBE_BENCH_MANIFEST} ${KUBE_BENCH_MANIFEST_SOURCE}; fi - yq eval -i '.spec.template.spec.containers[0].command = ["kube-bench", "--junit"]' ${KUBE_BENCH_MANIFEST} - echo "KUBE_BENCH_NAME=$(yq eval .metadata.name ${KUBE_BENCH_MANIFEST})" > KUBE_BENCH_NAME.env artifacts: paths: - job.yaml - ${KUBE_BENCH_MANIFEST} reports: dotenv: KUBE_BENCH_NAME.env Loading @@ -26,11 +25,11 @@ k8s:kube-bench: GIT_STRATEGY: none script: - gl-use-kube-context - kubectl delete -f job.yaml --ignore-not-found=true - kubectl apply -f job.yaml - kubectl wait -f job.yaml --for=condition=complete=true - kubectl logs -f jobs/${KUBE_BENCH_NAME} - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f job.yaml --ignore-not-found=true; fi - kubectl delete -f ${KUBE_BENCH_MANIFEST} --ignore-not-found=true - kubectl apply -f ${KUBE_BENCH_MANIFEST} - kubectl wait -f ${KUBE_BENCH_MANIFEST} --for=condition=complete=true - kubectl logs -f jobs/${KUBE_BENCH_NAME} > kube-bench.xml - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f ${KUBE_BENCH_MANIFEST}; fi needs: ["k8s:kube-bench:prepare"] artifacts: reports: Loading
