kube-bench
kube-bench copied to clipboard
aquasecurity
Unable to install kubebench on GKE
Overview
We are trying to install kube-bench on GKE. But we are getting read only file system error for /srv/kubernetes and /opt/cni volume mount directories. So instead of using the directory we are using emptyDir. How and what will be the effect if we use emptyDir
Following is the cronjob
apiVersion: batch/v1
{{- else }}
apiVersion: batch/v1beta1
{{- end }}
kind: CronJob
metadata:
name: {{ .Values.misconfigCron.name }}
namespace: ajinkya
labels:
{{- with .Values.misconfigCron.labels }}
{{ toYaml . | indent 8 }}
{{- end }}
spec:
schedule: {{ .Values.misconfigCron.schedule | quote }}
jobTemplate:
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
restartPolicy: Never
containers:
- name: misconfig-cron
image: {{ .Values.misconfigCron.image }}
imagePullPolicy: IfNotPresent
# terminationGracePeriodSeconds: 60
command: ["kube-bench", "--httpoutput=true"]
# command: ["kube-bench", "--include-test-output", "--noremediations", "--noresults", "--nototals", "--httpoutput=true"]
env:
- name: TOKEN
valueFrom:
secretKeyRef:
name: testing-secrets
key: auth-token
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: lib-systemd
mountPath: /lib/systemd/
readOnly: true
- name: srv-kubernetes
mountPath: /srv/kubernetes/
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
readOnly: true
- name: opt-cni-bin
mountPath: /opt/cni/bin/
readOnly: true
- name: var-tmp-dump
mountPath: /var/tmp/dump
- name: misconfig-volume
mountPath: /etc/config.yaml
subPath: config.yaml
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: var-lib-kube-scheduler
hostPath:
path: "/var/lib/kube-scheduler"
- name: var-lib-kube-controller-manager
hostPath:
path: "/var/lib/kube-controller-manager"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: lib-systemd
hostPath:
path: "/lib/systemd"
- name: srv-kubernetes
emptyDir: {}
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: etc-cni-netd
hostPath:
path: "/etc/cni/net.d/"
- name: opt-cni-bin
emptyDir: {}
- name: var-tmp-dump
hostPath:
path: "/var/tmp/dump"
- name: misconfig-volume
configMap:
name: {{ .Values.misconfigCron.configMapName }}
---
After installing the helm chart one of our misconfigcron job failed due to read only file system error. Following is the error.
(combined from similar events): Error: failed to generate container "25441f585d69c59f163d51ddf295dd257e27392e79b3f2729" spec: failed to generate spec: failed to mkdir "/srv/kubernetes": mkdir /srv/kubernetes: read-only file system
Hello, you can add this to run on GKE :
volumeMounts:
- name: srv-kubernetes
mountPath: /tmp/kubernetes/
readOnly: true
[...]
volumes:
- name: srv-kubernetes
hostPath:
path: "/tmp/kubernetes"
