From 77f66511e70c4b2c1f83988786e3de04ec7349db Mon Sep 17 00:00:00 2001
From: Nick Smith <nickrmc83@gmail.com>
Date: Tue, 28 Jan 2020 15:45:31 +0000
Subject: [PATCH] Set all host-mounted volumes to be read-only. (#569)
By setting all host-mounted volumes to be read-only we reduce the likelihood
any host filesystem is modified by running kube-bench.
---
job-eks.yaml | 3 +++
job-iks.yaml | 3 +++
job-master.yaml | 3 +++
job-node.yaml | 4 ++++
job.yaml | 5 +++++
5 files changed, 18 insertions(+)
diff --git a/job-eks.yaml b/job-eks.yaml
index 6f82c31..b0cac98 100644
--- a/job-eks.yaml
+++ b/job-eks.yaml
@@ -15,10 +15,13 @@ spec:
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-kubelet
diff --git a/job-iks.yaml b/job-iks.yaml
index 8a5fd38..3d3d072 100644
--- a/job-iks.yaml
+++ b/job-iks.yaml
@@ -14,10 +14,13 @@ spec:
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-kubelet
diff --git a/job-master.yaml b/job-master.yaml
index 5896bd3..27cecb2 100644
--- a/job-master.yaml
+++ b/job-master.yaml
@@ -20,12 +20,15 @@ spec:
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
+ readOnly: true
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
diff --git a/job-node.yaml b/job-node.yaml
index 0bdc2a1..b9133e9 100644
--- a/job-node.yaml
+++ b/job-node.yaml
@@ -14,14 +14,18 @@ spec:
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
+ readOnly: true
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-kubelet
diff --git a/job.yaml b/job.yaml
index 411c164..5f09651 100644
--- a/job.yaml
+++ b/job.yaml
@@ -17,16 +17,21 @@ spec:
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
+ readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
+ readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
+ readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
+ readOnly: true
# /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/bin
+ readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-etcd
--
GitLab