Skip to content

Commit

Permalink
fix: update job template (#112)
Browse files Browse the repository at this point in the history
* fix: update job template

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: update job template

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: update job template

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: update job template

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
chen-keinan authored Feb 9, 2023
1 parent ecd3100 commit 56c8d8b
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 17 deletions.
1 change: 0 additions & 1 deletion examples/trivy.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,6 @@ func main() {
printArtifacts(artifacts)

// collect node info

ar, err := trivyk8s.ListArtifactAndNodeInfo(ctx)
if err != nil {
log.Fatal(err)
Expand Down
42 changes: 32 additions & 10 deletions pkg/jobs/builder_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ import (
"github.com/stretchr/testify/assert"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/pointer"
)

func TestLoadBuilder(t *testing.T) {
Expand All @@ -28,9 +30,38 @@ func TestLoadBuilder(t *testing.T) {
Template: corev1.PodTemplateSpec{
ObjectMeta: v1.ObjectMeta{Labels: map[string]string{"app": "node-collector"}},
Spec: corev1.PodSpec{
DNSPolicy: corev1.DNSClusterFirst,
AutomountServiceAccountToken: pointer.Bool(true),
SecurityContext: &corev1.PodSecurityContext{
RunAsGroup: pointer.Int64(0),
RunAsUser: pointer.Int64(0),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
HostPID: true,
Containers: []corev1.Container{
{
Resources: corev1.ResourceRequirements{
Limits: corev1.ResourceList{
corev1.ResourceCPU: resource.MustParse("300m"),
corev1.ResourceMemory: resource.MustParse("300M"),
},
Requests: corev1.ResourceList{
corev1.ResourceCPU: resource.MustParse("50m"),
corev1.ResourceMemory: resource.MustParse("50M"),
},
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"all",
},
},
Privileged: pointer.Bool(false),
ReadOnlyRootFilesystem: pointer.Bool(true),
},
Name: "node-collector",
Image: "ghcr.io/aquasecurity/node-collector:0.0.5",
Command: []string{"node-collector"},
Expand Down Expand Up @@ -65,11 +96,6 @@ func TestLoadBuilder(t *testing.T) {
MountPath: "/lib/systemd/",
ReadOnly: true,
},
{
Name: "srv-kubernetes",
MountPath: "/srv/kubernetes/",
ReadOnly: true,
},
{
Name: "etc-kubernetes",
MountPath: "/etc/kubernetes",
Expand All @@ -93,7 +119,7 @@ func TestLoadBuilder(t *testing.T) {
},
},
},
RestartPolicy: "Never",
RestartPolicy: corev1.RestartPolicyNever,
Volumes: []corev1.Volume{
{
Name: "var-lib-etcd",
Expand All @@ -119,10 +145,6 @@ func TestLoadBuilder(t *testing.T) {
Name: "lib-systemd",
VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{Path: "/lib/systemd"}},
},
{
Name: "srv-kubernetes",
VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{Path: "/srv/kubernetes"}},
},
{
Name: "etc-kubernetes",
VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{Path: "/etc/kubernetes"}},
Expand Down
27 changes: 21 additions & 6 deletions pkg/jobs/template/node-collector.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,28 @@ spec:
labels:
app: node-collector
spec:
dnsPolicy: ClusterFirst
hostPID: true
automountServiceAccountToken: true
containers:
- name: node-collector
image: ghcr.io/aquasecurity/node-collector:0.0.5
command:
- node-collector
resources:
limits:
cpu: 300m
memory: 300M
requests:
cpu: 50m
memory: 50M
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
Expand All @@ -34,9 +50,6 @@ spec:
- name: lib-systemd
mountPath: /lib/systemd/
readOnly: true
- name: srv-kubernetes
mountPath: /srv/kubernetes/
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
Expand All @@ -50,6 +63,11 @@ spec:
mountPath: /opt/cni/bin/
readOnly: true
restartPolicy: Never
securityContext:
runAsGroup: 0
runAsUser: 0
seccompProfile:
type: RuntimeDefault
volumes:
- name: var-lib-etcd
hostPath:
Expand All @@ -69,9 +87,6 @@ spec:
- name: lib-systemd
hostPath:
path: /lib/systemd
- name: srv-kubernetes
hostPath:
path: /srv/kubernetes
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
Expand Down

0 comments on commit 56c8d8b

Please sign in to comment.