Add /lib/systemd as mount path for CIS kube-bench (!478) · Merge requests · Common Ground / Haven / haven

Nils Hanke requested to merge Nirusu/haven:fix/kube-bench-mount into master Nov 09, 2022

The CIS kube-bench job definition mounts fewer directories than the one upstream from Aqua Security does. Recently, when we were changing our system image we noticed that the CIS benchmark in Haven suddenly started to fail.

We pinned down the issue to be that we moved the Kubelet service file from /etc/systemd/system/kubelet.service to /usr/lib/systemd/system/kubelet.service, causing kube-bench not to find the service file and fail the test.

This PR therefore adds /lib/systemd as a mount path, which a) is the same as upstream kube-bench and b) also works for /usr/lib/systemd assuming that /lib is a symlink to /usr/lib (which in our case it is, otherwise this would need additions in upstream kube-bench, too).

Would appreciate it if you can take a look at this merge request!

Add /lib/systemd as mount path for CIS kube-bench

Merge request reports