job.yaml: Adding /var/lib/cni mounts for proper CIS 1.1.9 and 1.1.0 c…

…hecking (#1547) Signed-off-by: Andrey Polovov <andrey.polovov@flant.com> Signed-off-by: Andrey Pavlov <andrey.pavlov@flant.com> Co-authored-by: Andrey Pavlov <andrey.pavlov@flant.com> Co-authored-by: chenk <hen.keinan@gmail.com>
aquasecurity · Feb 11, 2024 · faeceb5 · faeceb5
1 parent 3021706
commit faeceb5
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/job-master.yaml b/job-master.yaml
@@ -29,6 +29,9 @@ spec:
  image: docker.io/aquasec/kube-bench:latest
  command: ["kube-bench", "run", "--targets", "master"]
  volumeMounts:
+ - name: var-lib-cni
+ mountPath: /var/lib/cni
+ readOnly: true
  - name: var-lib-etcd
  mountPath: /var/lib/etcd
  readOnly: true
@@ -72,6 +75,9 @@ spec:
  readOnly: true
  restartPolicy: Never
  volumes:
+ - name: var-lib-cni
+ hostPath:
+ path: "/var/lib/cni"
  - name: var-lib-etcd
  hostPath:
  path: "/var/lib/etcd"

diff --git a/job-node.yaml b/job-node.yaml
@@ -12,6 +12,9 @@ spec:
  image: docker.io/aquasec/kube-bench:latest
  command: ["kube-bench", "run", "--targets", "node"]
  volumeMounts:
+ - name: var-lib-cni
+ mountPath: /var/lib/cni
+ readOnly: true
  - name: var-lib-etcd
  mountPath: /var/lib/etcd
  readOnly: true
@@ -49,6 +52,9 @@ spec:
  readOnly: true
  restartPolicy: Never
  volumes:
+ - name: var-lib-cni
+ hostPath:
+ path: "/var/lib/cni"
  - name: var-lib-etcd
  hostPath:
  path: "/var/lib/etcd"

diff --git a/job.yaml b/job.yaml
@@ -14,6 +14,9 @@ spec:
  image: docker.io/aquasec/kube-bench:v0.7.1
  name: kube-bench
  volumeMounts:
+ - name: var-lib-cni
+ mountPath: /var/lib/cni
+ readOnly: true
  - mountPath: /var/lib/etcd
  name: var-lib-etcd
  readOnly: true
@@ -50,6 +53,9 @@ spec:
  hostPID: true
  restartPolicy: Never
  volumes:
+ - name: var-lib-cni
+ hostPath:
+ path: /var/lib/cni
  - hostPath:
  path: /var/lib/etcd
  name: var-lib-etcd