Loading k8s/kube-bench.yml +12 −9 Original line number Diff line number Diff line --- variables: KUBE_BENCH_VERSION: main # Or use for example v0.6.7 from the available tags on https://github.com/aquasecurity/kube-bench/tags KUBE_BENCH_MANIFEST: kube-bench/job.yaml KUBE_BENCH_MANIFEST_JUNIT: kube-bench/job-junit.yaml .kube-context: image: registry.gitlab.com/gitlab-org/cluster-integration/cluster-applications:latest Loading @@ -13,19 +15,20 @@ k8s:kube-bench: extends: .kube-context script: - | if ! test -f kube-bench/job.yaml; then apk add --no-cache yq if ! test -f ${KUBE_BENCH_MANIFEST}; then mkdir -p kube-bench wget -O kube-bench/job.yaml https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml yq eval '.spec.template.spec.containers[0].args = ["--junit"]' kube-bench/job.yaml > kube-bench/job-junit.yaml yq eval -i '.metadata.name = "kube-bench-junit"' kube-bench/job-junit.yaml wget -O ${KUBE_BENCH_MANIFEST} https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml fi - kubectl delete -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --ignore-not-found=true - kubectl apply -f kube-bench/job-junit.yaml -f kube-bench/job.yaml - kubectl wait -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --for=condition=complete=true - apk add --no-cache yq - yq eval '.spec.template.spec.containers[0].args += ["--junit"]' ${KUBE_BENCH_MANIFEST} > ${KUBE_BENCH_MANIFEST_JUNIT} - yq eval -i '.metadata.name = "kube-bench-junit"' ${KUBE_BENCH_MANIFEST_JUNIT} - kubectl delete -f ${KUBE_BENCH_MANIFEST_JUNIT} -f ${KUBE_BENCH_MANIFEST} --ignore-not-found=true - kubectl apply -f ${KUBE_BENCH_MANIFEST_JUNIT} -f ${KUBE_BENCH_MANIFEST} - kubectl wait -f ${KUBE_BENCH_MANIFEST_JUNIT} -f ${KUBE_BENCH_MANIFEST} --for=condition=complete=true --timeout=5m - kubectl logs -f jobs/kube-bench-junit > kube-bench/kube-bench-junit.xml - kubectl logs -f jobs/kube-bench - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f kube-bench/job.yaml -f kube-bench/job-junit.yaml; fi after_script: - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f ${KUBE_BENCH_MANIFEST} -f ${KUBE_BENCH_MANIFEST_JUNIT}; fi artifacts: reports: junit: kube-bench/kube-bench-junit.xml Loading Loading
k8s/kube-bench.yml +12 −9 Original line number Diff line number Diff line --- variables: KUBE_BENCH_VERSION: main # Or use for example v0.6.7 from the available tags on https://github.com/aquasecurity/kube-bench/tags KUBE_BENCH_MANIFEST: kube-bench/job.yaml KUBE_BENCH_MANIFEST_JUNIT: kube-bench/job-junit.yaml .kube-context: image: registry.gitlab.com/gitlab-org/cluster-integration/cluster-applications:latest Loading @@ -13,19 +15,20 @@ k8s:kube-bench: extends: .kube-context script: - | if ! test -f kube-bench/job.yaml; then apk add --no-cache yq if ! test -f ${KUBE_BENCH_MANIFEST}; then mkdir -p kube-bench wget -O kube-bench/job.yaml https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml yq eval '.spec.template.spec.containers[0].args = ["--junit"]' kube-bench/job.yaml > kube-bench/job-junit.yaml yq eval -i '.metadata.name = "kube-bench-junit"' kube-bench/job-junit.yaml wget -O ${KUBE_BENCH_MANIFEST} https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml fi - kubectl delete -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --ignore-not-found=true - kubectl apply -f kube-bench/job-junit.yaml -f kube-bench/job.yaml - kubectl wait -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --for=condition=complete=true - apk add --no-cache yq - yq eval '.spec.template.spec.containers[0].args += ["--junit"]' ${KUBE_BENCH_MANIFEST} > ${KUBE_BENCH_MANIFEST_JUNIT} - yq eval -i '.metadata.name = "kube-bench-junit"' ${KUBE_BENCH_MANIFEST_JUNIT} - kubectl delete -f ${KUBE_BENCH_MANIFEST_JUNIT} -f ${KUBE_BENCH_MANIFEST} --ignore-not-found=true - kubectl apply -f ${KUBE_BENCH_MANIFEST_JUNIT} -f ${KUBE_BENCH_MANIFEST} - kubectl wait -f ${KUBE_BENCH_MANIFEST_JUNIT} -f ${KUBE_BENCH_MANIFEST} --for=condition=complete=true --timeout=5m - kubectl logs -f jobs/kube-bench-junit > kube-bench/kube-bench-junit.xml - kubectl logs -f jobs/kube-bench - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f kube-bench/job.yaml -f kube-bench/job-junit.yaml; fi after_script: - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f ${KUBE_BENCH_MANIFEST} -f ${KUBE_BENCH_MANIFEST_JUNIT}; fi artifacts: reports: junit: kube-bench/kube-bench-junit.xml Loading
