Fix generic CIS kube-bench job (!443) · Merge requests · Common Ground / Haven / haven

Nils Hanke requested to merge Nirusu/haven:fix/kube-bench into master Sep 27, 2022

The generic CIS kube-bench job (aka: not the job YAML files in the static directory) does not work correctly currently. It always reports "NO" even if the node is actually passing the test.

The reason for this is that the kube-bench job uses the latest image, but the command line arguments are outdated. The node command has been removed since version 0.7.0: https://github.com/aquasecurity/kube-bench/pull/960 https://github.com/aquasecurity/kube-bench/discussions/919

In addition, the /etc/kubernetes mount path has a typo, so the permission check fails for the wrong reasons.

These two fixes here are sufficient for me to get the node test working correctly as it does when I am running it as described in the aquasecurity repository.

Fix generic CIS kube-bench job

Merge request reports