kube-bench/cmd/root.go

// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cmd

import (
	goflag "flag"
	"fmt"
	"os"

	"github.com/aquasecurity/kube-bench/check"
	"github.com/golang/glog"
	"github.com/spf13/cobra"
	"github.com/spf13/viper"
)

type FilterOpts struct {
	CheckList string
	GroupList string
	Scored    bool
	Unscored  bool
}

var (
	envVarsPrefix      = "KUBE_BENCH"
	defaultKubeVersion = "1.6"
	kubeVersion        string
	cfgFile            string
	cfgDir             string
	jsonFmt            bool
	pgSQL              bool
	masterFile         = "master.yaml"
	nodeFile           = "node.yaml"
	federatedFile      string
	noResults          bool
	noSummary          bool
	noRemediations     bool
	filterOpts         FilterOpts
	includeTestOutput  bool
	outputFile         string
)

// RootCmd represents the base command when called without any subcommands
var RootCmd = &cobra.Command{
	Use:   os.Args[0],
	Short: "Run CIS Benchmarks checks against a Kubernetes deployment",
	Long:  `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`,
	Run: func(cmd *cobra.Command, args []string) {
		if isMaster() {
			glog.V(1).Info("== Running master checks ==\n")
			runChecks(check.MASTER)
		}
		glog.V(1).Info("== Running node checks ==\n")
		runChecks(check.NODE)
	},
}

// Execute adds all child commands to the root command sets flags appropriately.
// This is called by main.main(). It only needs to happen once to the rootCmd.
func Execute() {
	goflag.Set("logtostderr", "true")
	goflag.CommandLine.Parse([]string{})

	if err := RootCmd.Execute(); err != nil {
		fmt.Println(err)
		// flush before exit non-zero
		glog.Flush()
		os.Exit(-1)
	}
	// flush before exit
	glog.Flush()
}

func init() {
	cobra.OnInitialize(initConfig)

	// Output control
	RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable printing of results section")
	RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section")
	RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section")
	RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
	RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
	RootCmd.PersistentFlags().BoolVar(&filterOpts.Scored, "scored", true, "Run the scored CIS checks")
	RootCmd.PersistentFlags().BoolVar(&filterOpts.Unscored, "unscored", true, "Run the unscored CIS checks")
	RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the actual result when test fails")
	RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file")

	RootCmd.PersistentFlags().StringVarP(
		&filterOpts.CheckList,
		"check",
		"c",
		"",
		`A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"`,
	)
	RootCmd.PersistentFlags().StringVarP(
		&filterOpts.GroupList,
		"group",
		"g",
		"",
		`Run all the checks under this comma-delimited list of groups. Example --group="1.1"`,
	)
	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is ./cfg/config.yaml)")
	RootCmd.PersistentFlags().StringVarP(&cfgDir, "config-dir", "D", "./cfg/", "config directory")
	RootCmd.PersistentFlags().StringVar(&kubeVersion, "version", "", "Manually specify Kubernetes version, automatically detected if unset")

	goflag.CommandLine.VisitAll(func(goflag *goflag.Flag) {
		RootCmd.PersistentFlags().AddGoFlag(goflag)
	})

}

// initConfig reads in config file and ENV variables if set.
func initConfig() {
	if cfgFile != "" { // enable ability to specify config file via flag
		viper.SetConfigFile(cfgFile)
	} else {
		viper.SetConfigName("config") // name of config file (without extension)
		viper.AddConfigPath(cfgDir)   // adding ./cfg as first search path
	}

	viper.SetEnvPrefix(envVarsPrefix)
	viper.AutomaticEnv() // read in environment variables that match

	// If a config file is found, read it in.
	if err := viper.ReadInConfig(); err != nil {
		colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err))
		os.Exit(1)
	}
}
Initial commit 2017-05-26 09:25:29 +00:00			`// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package cmd`

			`import (`
Improve error handling. 2017-07-25 00:34:07 +00:00			`goflag "flag"`
Initial commit 2017-05-26 09:25:29 +00:00			`"fmt"`
			`"os"`

Use colorPrint for config file info too 2017-06-20 10:10:11 +00:00			`"github.com/aquasecurity/kube-bench/check"`
Adds master node detection and a root command that automatically detect checks to run. The root command will run node checks and if possible master checks. I've also added some Makefile targets to improve local testing and improve the documentation. 2019-03-07 17:02:43 +00:00			`"github.com/golang/glog"`
Initial commit 2017-05-26 09:25:29 +00:00			`"github.com/spf13/cobra"`
			`"github.com/spf13/viper"`
			`)`

Add flags to further filter CIS checks to run 2019-04-29 10:17:06 +00:00			`type FilterOpts struct {`
			`CheckList string`
			`GroupList string`
			`Scored bool`
			`Unscored bool`
			`}`

Initial commit 2017-05-26 09:25:29 +00:00			`var (`
Add default version if version check fails. 2017-11-13 15:25:34 +00:00			`envVarsPrefix = "KUBE_BENCH"`
			`defaultKubeVersion = "1.6"`
Allow kubernetes version and config directory to be specified (resolves #107) 2018-04-12 18:22:50 +00:00			`kubeVersion string`
Add default version if version check fails. 2017-11-13 15:25:34 +00:00			`cfgFile string`
Allow kubernetes version and config directory to be specified (resolves #107) 2018-04-12 18:22:50 +00:00			`cfgDir string`
Add default version if version check fails. 2017-11-13 15:25:34 +00:00			`jsonFmt bool`
Lint all code for golint tests 2018-01-11 18:01:58 +00:00			`pgSQL bool`
Adds master node detection and a root command that automatically detect checks to run. The root command will run node checks and if possible master checks. I've also added some Makefile targets to improve local testing and improve the documentation. 2019-03-07 17:02:43 +00:00			`masterFile = "master.yaml"`
			`nodeFile = "node.yaml"`
Add default version if version check fails. 2017-11-13 15:25:34 +00:00			`federatedFile string`
Add extra output manipulation flags, --noremediations, --nosummary and --noresults. These flags disable printing sections of the final output of kube-bench. 2018-04-10 19:58:19 +00:00			`noResults bool`
			`noSummary bool`
			`noRemediations bool`
Add flags to further filter CIS checks to run 2019-04-29 10:17:06 +00:00			`filterOpts FilterOpts`
Add --outputfile flag for writing json results to output file (#295) 2019-05-29 15:05:55 +00:00			`includeTestOutput bool`
			`outputFile string`
Initial commit 2017-05-26 09:25:29 +00:00			`)`

			`// RootCmd represents the base command when called without any subcommands`
			`var RootCmd = &cobra.Command{`
Executable name changes Updates to travis file, readme and help text 2017-06-20 08:52:53 +00:00			`Use: os.Args[0],`
Get the tests working on deployments where file names may be different or not in path (#1) * Replace the default help text * Readme file, including the test config format documentation * Typo * Warn if config files / executables aren't found * Ignore original name of executable (as per current README) * Update tests to avoid failing on stat of a non-existant file * Add a makefile for ease of build 2017-06-19 20:17:19 +00:00			`Short: "Run CIS Benchmarks checks against a Kubernetes deployment",`
Add link to CIS kubernetes benchmark 2018-08-10 19:55:02 +00:00			Long: `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`,
Adds master node detection and a root command that automatically detect checks to run. The root command will run node checks and if possible master checks. I've also added some Makefile targets to improve local testing and improve the documentation. 2019-03-07 17:02:43 +00:00			`Run: func(cmd *cobra.Command, args []string) {`
			`if isMaster() {`
			`glog.V(1).Info("== Running master checks ==\n")`
			`runChecks(check.MASTER)`
			`}`
			`glog.V(1).Info("== Running node checks ==\n")`
			`runChecks(check.NODE)`
			`},`
Initial commit 2017-05-26 09:25:29 +00:00			`}`

			`// Execute adds all child commands to the root command sets flags appropriately.`
			`// This is called by main.main(). It only needs to happen once to the rootCmd.`
			`func Execute() {`
Improve error handling. 2017-07-25 00:34:07 +00:00			`goflag.Set("logtostderr", "true")`
			`goflag.CommandLine.Parse([]string{})`

Initial commit 2017-05-26 09:25:29 +00:00			`if err := RootCmd.Execute(); err != nil {`
			`fmt.Println(err)`
add glog flush to write the output to a file (#329) * add glog flush to write the output to a file * add glog flush before exit on error and fix code comment 2019-07-01 08:49:46 +00:00			`// flush before exit non-zero`
			`glog.Flush()`
Initial commit 2017-05-26 09:25:29 +00:00			`os.Exit(-1)`
			`}`
add glog flush to write the output to a file (#329) * add glog flush to write the output to a file * add glog flush before exit on error and fix code comment 2019-07-01 08:49:46 +00:00			`// flush before exit`
			`glog.Flush()`
Initial commit 2017-05-26 09:25:29 +00:00			`}`

			`func init() {`
			`cobra.OnInitialize(initConfig)`

Add extra output manipulation flags, --noremediations, --nosummary and --noresults. These flags disable printing sections of the final output of kube-bench. 2018-04-10 19:58:19 +00:00			`// Output control`
Fix typo in help text. 2018-04-10 23:04:24 +00:00			`RootCmd.PersistentFlags().BoolVar(&noResults, "noresults", false, "Disable printing of results section")`
Add extra output manipulation flags, --noremediations, --nosummary and --noresults. These flags disable printing sections of the final output of kube-bench. 2018-04-10 19:58:19 +00:00			`RootCmd.PersistentFlags().BoolVar(&noSummary, "nosummary", false, "Disable printing of summary section")`
			`RootCmd.PersistentFlags().BoolVar(&noRemediations, "noremediations", false, "Disable printing of remediations section")`
Added test 1.4.11 (#8) 2017-06-21 19:45:50 +00:00			`RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")`
Lint all code for golint tests 2018-01-11 18:01:58 +00:00			`RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")`
Adjust the semantics of scored and unscored flags 2019-05-01 19:43:06 +00:00			`RootCmd.PersistentFlags().BoolVar(&filterOpts.Scored, "scored", true, "Run the scored CIS checks")`
			`RootCmd.PersistentFlags().BoolVar(&filterOpts.Unscored, "unscored", true, "Run the unscored CIS checks")`
Printing the actual test result of failed tests - when a flag is raised fix #110 2019-05-05 07:52:28 +00:00			`RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the actual result when test fails")`
Add --outputfile flag for writing json results to output file (#295) 2019-05-29 15:05:55 +00:00			`RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file")`
Add extra output manipulation flags, --noremediations, --nosummary and --noresults. These flags disable printing sections of the final output of kube-bench. 2018-04-10 19:58:19 +00:00
Add support for various installation modes, hyperkube, kubeadm and kops. Issue #17. 2017-07-10 00:02:39 +00:00			`RootCmd.PersistentFlags().StringVarP(`
Add flags to further filter CIS checks to run 2019-04-29 10:17:06 +00:00			`&filterOpts.CheckList,`
Initial commit 2017-05-26 09:25:29 +00:00			`"check",`
			`"c",`
			`"",`
			`A comma-delimited list of checks to run as specified in CIS document. Example --check="1.1.1,1.1.2"`,
			`)`
Add support for various installation modes, hyperkube, kubeadm and kops. Issue #17. 2017-07-10 00:02:39 +00:00			`RootCmd.PersistentFlags().StringVarP(`
Add flags to further filter CIS checks to run 2019-04-29 10:17:06 +00:00			`&filterOpts.GroupList,`
Initial commit 2017-05-26 09:25:29 +00:00			`"group",`
			`"g",`
			`"",`
			`Run all the checks under this comma-delimited list of groups. Example --group="1.1"`,
			`)`
Allow config file to be specified on the command line 2017-06-22 14:34:21 +00:00			`RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is ./cfg/config.yaml)")`
Allow kubernetes version and config directory to be specified (resolves #107) 2018-04-12 18:22:50 +00:00			`RootCmd.PersistentFlags().StringVarP(&cfgDir, "config-dir", "D", "./cfg/", "config directory")`
			`RootCmd.PersistentFlags().StringVar(&kubeVersion, "version", "", "Manually specify Kubernetes version, automatically detected if unset")`
Improve error handling. 2017-07-25 00:34:07 +00:00
			`goflag.CommandLine.VisitAll(func(goflag *goflag.Flag) {`
			`RootCmd.PersistentFlags().AddGoFlag(goflag)`
			`})`

Initial commit 2017-05-26 09:25:29 +00:00			`}`

			`// initConfig reads in config file and ENV variables if set.`
			`func initConfig() {`
			`if cfgFile != "" { // enable ability to specify config file via flag`
			`viper.SetConfigFile(cfgFile)`
Allow config file to be specified on the command line 2017-06-22 14:34:21 +00:00			`} else {`
			`viper.SetConfigName("config") // name of config file (without extension)`
			`viper.AddConfigPath(cfgDir) // adding ./cfg as first search path`
Initial commit 2017-05-26 09:25:29 +00:00			`}`

added support for saving scan results to pgsql 2017-10-31 20:08:46 +00:00			`viper.SetEnvPrefix(envVarsPrefix)`
Initial commit 2017-05-26 09:25:29 +00:00			`viper.AutomaticEnv() // read in environment variables that match`

			`// If a config file is found, read it in.`
Don't output message about config file if output format is JSON 2017-06-23 09:48:49 +00:00			`if err := viper.ReadInConfig(); err != nil {`
Typo 2017-06-23 09:28:58 +00:00			`colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err))`
Error if the config file can’t be found 2017-06-22 14:34:01 +00:00			`os.Exit(1)`
Initial commit 2017-05-26 09:25:29 +00:00			`}`
			`}`