Loading k8s/kube-bench.yml +15 −12 Original line number Diff line number Diff line --- variables: KUBE_BENCH_VERSION: main # Or use for example v0.6.7 from the available tags on https://github.com/aquasecurity/kube-bench/tags KUBE_BENCH_MANIFEST_SOURCE: https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml KUBE_BENCH_MANIFEST: kube-bench/job.yaml k8s:kube-bench:prepare: stage: .pre image: alpine:latest script: - apk add --no-cache yq - if ! test -f ${KUBE_BENCH_MANIFEST}; then wget -O ${KUBE_BENCH_MANIFEST} ${KUBE_BENCH_MANIFEST_SOURCE}; fi - yq eval -i '.spec.template.spec.containers[0].command = ["kube-bench", "--junit"]' ${KUBE_BENCH_MANIFEST} - echo "KUBE_BENCH_NAME=$(yq eval .metadata.name ${KUBE_BENCH_MANIFEST})" > KUBE_BENCH_NAME.env - mkdir -p kube-bench - | if ! test -f kube-bench/job.yaml; then wget -O kube-bench/job.yaml https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml yq eval '.spec.template.spec.containers[0].command = ["kube-bench", "--junit"]' kube-bench/job.yaml > kube-bench/job-junit.yaml yq eval -i '.metadata.name = "kube-bench-junit"' kube-bench/job-junit.yaml fi artifacts: paths: - ${KUBE_BENCH_MANIFEST} - kube-bench/ reports: dotenv: KUBE_BENCH_NAME.env Loading @@ -25,12 +27,13 @@ k8s:kube-bench: GIT_STRATEGY: none script: - gl-use-kube-context - kubectl delete -f ${KUBE_BENCH_MANIFEST} --ignore-not-found=true - kubectl apply -f ${KUBE_BENCH_MANIFEST} - kubectl wait -f ${KUBE_BENCH_MANIFEST} --for=condition=complete=true - kubectl logs -f jobs/${KUBE_BENCH_NAME} > kube-bench.xml - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f ${KUBE_BENCH_MANIFEST}; fi - kubectl delete -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --ignore-not-found=true - kubectl apply -f kube-bench/job-junit.yaml -f kube-bench/job.yaml - kubectl wait -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --for=condition=complete=true - kubectl logs -f jobs/kube-bench-junit > kube-bench-junit.xml - kubectl logs -f jobs/kube-bench - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f kube-bench/job.yaml -f kube-bench/job-junit.yaml; fi needs: ["k8s:kube-bench:prepare"] artifacts: reports: junit: kube-bench.xml junit: kube-bench-junit.xml Loading
k8s/kube-bench.yml +15 −12 Original line number Diff line number Diff line --- variables: KUBE_BENCH_VERSION: main # Or use for example v0.6.7 from the available tags on https://github.com/aquasecurity/kube-bench/tags KUBE_BENCH_MANIFEST_SOURCE: https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml KUBE_BENCH_MANIFEST: kube-bench/job.yaml k8s:kube-bench:prepare: stage: .pre image: alpine:latest script: - apk add --no-cache yq - if ! test -f ${KUBE_BENCH_MANIFEST}; then wget -O ${KUBE_BENCH_MANIFEST} ${KUBE_BENCH_MANIFEST_SOURCE}; fi - yq eval -i '.spec.template.spec.containers[0].command = ["kube-bench", "--junit"]' ${KUBE_BENCH_MANIFEST} - echo "KUBE_BENCH_NAME=$(yq eval .metadata.name ${KUBE_BENCH_MANIFEST})" > KUBE_BENCH_NAME.env - mkdir -p kube-bench - | if ! test -f kube-bench/job.yaml; then wget -O kube-bench/job.yaml https://raw.githubusercontent.com/aquasecurity/kube-bench/${KUBE_BENCH_VERSION}/job.yaml yq eval '.spec.template.spec.containers[0].command = ["kube-bench", "--junit"]' kube-bench/job.yaml > kube-bench/job-junit.yaml yq eval -i '.metadata.name = "kube-bench-junit"' kube-bench/job-junit.yaml fi artifacts: paths: - ${KUBE_BENCH_MANIFEST} - kube-bench/ reports: dotenv: KUBE_BENCH_NAME.env Loading @@ -25,12 +27,13 @@ k8s:kube-bench: GIT_STRATEGY: none script: - gl-use-kube-context - kubectl delete -f ${KUBE_BENCH_MANIFEST} --ignore-not-found=true - kubectl apply -f ${KUBE_BENCH_MANIFEST} - kubectl wait -f ${KUBE_BENCH_MANIFEST} --for=condition=complete=true - kubectl logs -f jobs/${KUBE_BENCH_NAME} > kube-bench.xml - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f ${KUBE_BENCH_MANIFEST}; fi - kubectl delete -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --ignore-not-found=true - kubectl apply -f kube-bench/job-junit.yaml -f kube-bench/job.yaml - kubectl wait -f kube-bench/job-junit.yaml -f kube-bench/job.yaml --for=condition=complete=true - kubectl logs -f jobs/kube-bench-junit > kube-bench-junit.xml - kubectl logs -f jobs/kube-bench - if [ -z ${KUBE_BENCH_KEEP_JOB} ]; then kubectl delete -f kube-bench/job.yaml -f kube-bench/job-junit.yaml; fi needs: ["k8s:kube-bench:prepare"] artifacts: reports: junit: kube-bench.xml junit: kube-bench-junit.xml
