arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-15 20:39:08 +00:00
Code Issues Releases Wiki Activity
dd39b19ffc
kube-bench/cmd/run.go

113 lines
3.5 KiB
Go
Raw Normal View History

Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
package cmd
import (
"fmt"
"os"
"path/filepath"
"strings"
"github.com/aquasecurity/kube-bench/check"
"github.com/golang/glog"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
func init() {
RootCmd.AddCommand(runCmd)
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
runCmd.Flags().StringSliceP("targets", "s", []string{},
`Specify targets of the benchmark to run. These names need to match the filenames in the cfg/<version> directory.
move target mapping to config.yaml - updated version (#682) * move target mapping to config.yaml * Update config.yaml * Update common.go * Add support for eks-1.0 Add also eks-1.0 to map * chore: merge correction * Move file only used for testing * Tidier logs * Add target mapping for GKE and EKS * fingers cross this finishes target mapping Co-authored-by: Murali Paluru <leodotcloud@gmail.com> Co-authored-by: Roberto Rojas <robertojrojas@gmail.com> Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-08-30 07:16:21 +00:00
For example, to run the tests specified in master.yaml and etcd.yaml, specify --targets=master,etcd
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
If no targets are specified, run tests from all files in the cfg/<version> directory.
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
`)
}
// runCmd represents the run command
var runCmd = &cobra.Command{
Use: "run",
Short: "Run tests",
Long: `Run tests. If no arguments are specified, runs tests from all files`,
Run: func(cmd *cobra.Command, args []string) {
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
targets, err := cmd.Flags().GetStringSlice("targets")
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
if err != nil {
Fixes Issue #538 (#539) * Adds openshift to autodetect node type * detect okd node units * OCP fixes
2019-12-13 16:04:58 +00:00
exitWithError(fmt.Errorf("unable to get `targets` from command line :%v", err))
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
}
Update auto-detection codes to support check platform version (#1074) Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2022-01-10 13:25:15 +00:00
bv, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, getPlatformInfo(), viper.GetViper())
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
if err != nil {
Fixes Issue #538 (#539) * Adds openshift to autodetect node type * detect okd node units * OCP fixes
2019-12-13 16:04:58 +00:00
exitWithError(fmt.Errorf("unable to get benchmark version. error: %v", err))
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
}
move target mapping to config.yaml - updated version (#682) * move target mapping to config.yaml * Update config.yaml * Update common.go * Add support for eks-1.0 Add also eks-1.0 to map * chore: merge correction * Move file only used for testing * Tidier logs * Add target mapping for GKE and EKS * fingers cross this finishes target mapping Co-authored-by: Murali Paluru <leodotcloud@gmail.com> Co-authored-by: Roberto Rojas <robertojrojas@gmail.com> Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-08-30 07:16:21 +00:00
glog.V(2).Infof("Checking targets %v for %v", targets, bv)
benchmarkVersionToTargetsMap, err := loadTargetMapping(viper.GetViper())
if err != nil {
exitWithError(fmt.Errorf("error loading targets: %v", err))
}
valid, err := validTargets(bv, targets, viper.GetViper())
if err != nil {
exitWithError(fmt.Errorf("error validating targets: %v", err))
}
if len(targets) > 0 && !valid {
exitWithError(fmt.Errorf(fmt.Sprintf(`The specified --targets "%s" are not configured for the CIS Benchmark %s\n Valid targets %v`, strings.Join(targets, ","), bv, benchmarkVersionToTargetsMap[bv])))
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
}
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
// Merge version-specific config if any.
move target mapping to config.yaml - updated version (#682) * move target mapping to config.yaml * Update config.yaml * Update common.go * Add support for eks-1.0 Add also eks-1.0 to map * chore: merge correction * Move file only used for testing * Tidier logs * Add target mapping for GKE and EKS * fingers cross this finishes target mapping Co-authored-by: Murali Paluru <leodotcloud@gmail.com> Co-authored-by: Roberto Rojas <robertojrojas@gmail.com> Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-08-30 07:16:21 +00:00
path := filepath.Join(cfgDir, bv)
chore: fix defer func in for-loop (#825) * chore: call defer func for each iteration Signed-off-by: TakahiroTsuruda <isrgnoe@gmail.com> * chore: error check
2021-02-23 14:22:15 +00:00
err = mergeConfig(path)
if err != nil {
Fix the `--exit-code` flag doesn't work when run with subcommand (#1084)
2022-01-23 07:40:59 +00:00
exitWithError(fmt.Errorf("Error in mergeConfig: %v\n", err))
chore: fix defer func in for-loop (#825) * chore: call defer func for each iteration Signed-off-by: TakahiroTsuruda <isrgnoe@gmail.com> * chore: error check
2021-02-23 14:22:15 +00:00
}
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
move target mapping to config.yaml - updated version (#682) * move target mapping to config.yaml * Update config.yaml * Update common.go * Add support for eks-1.0 Add also eks-1.0 to map * chore: merge correction * Move file only used for testing * Tidier logs * Add target mapping for GKE and EKS * fingers cross this finishes target mapping Co-authored-by: Murali Paluru <leodotcloud@gmail.com> Co-authored-by: Roberto Rojas <robertojrojas@gmail.com> Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
2020-08-30 07:16:21 +00:00
err = run(targets, bv)
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
if err != nil {
Fix the `--exit-code` flag doesn't work when run with subcommand (#1084)
2022-01-23 07:40:59 +00:00
exitWithError(fmt.Errorf("Error in run: %v\n", err))
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
}
Fix the `--exit-code` flag doesn't work when run with subcommand (#1084)
2022-01-23 07:40:59 +00:00
os.Exit(exitCodeSelection(controlsCollection))
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
},
}
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
func run(targets []string, benchmarkVersion string) (err error) {
yamlFiles, err := getTestYamlFiles(targets, benchmarkVersion)
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
if err != nil {
return err
}
glog.V(3).Infof("Running tests from files %v\n", yamlFiles)
for _, yamlFile := range yamlFiles {
_, name := filepath.Split(yamlFile)
testType := check.NodeType(strings.Split(name, ".")[0])
Add detected kubernetes version (#869) * Add detected kubernetes version to controls * Refactore NewControls function Now new Control function is expecting detected version argument. * Refactore NewControls function Now new Control function is expecting detected version argument. * Refactore NewControls function New Control function is expecting detected version argument. * Add detected kube version * add detecetedKubeVersion * Add detecetedKubeVersion * Add detectedKubeVersion * Add detecetedKubeVersion * Fix missing version * Change version Change version from 3.10 to rh-0.7 * fix version: "cis-1.5" * fix version: "cis-1.5" * fix version: "cis-1.5" * Fix version: "cis-1.5" * Fix version: "cis-1.5" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6"
2021-05-09 11:48:34 +00:00
runChecks(testType, yamlFile, detecetedKubeVersion)
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
}
Fix invalid JSON output (#629) * Fix invalid JSON output Fixes #622 * Apply suggestions from code review Co-authored-by: Liz Rice <liz@lizrice.com> * Add tests Co-authored-by: Liz Rice <liz@lizrice.com>
2020-06-24 09:13:10 +00:00
writeOutput(controlsCollection)
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
return nil
}
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
func getTestYamlFiles(targets []string, benchmarkVersion string) (yamlFiles []string, err error) {
// Check that the specified targets have corresponding YAML files in the config directory
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
configFileDirectory := filepath.Join(cfgDir, benchmarkVersion)
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
for _, target := range targets {
filename := translate(target) + ".yaml"
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
file := filepath.Join(configFileDirectory, filename)
if _, err := os.Stat(file); err != nil {
return nil, fmt.Errorf("file %s not found for version %s", filename, benchmarkVersion)
}
yamlFiles = append(yamlFiles, file)
}
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
// If no targets were specified, we will run tests from all the files in the directory
Add run subcommand (#529) * test: fix TestGetConfigFilePath This test wasn't correctly creating the test file due to the wrong directory permissions on the temp file. This wasn't detected due to a lack of error checking. Also, the code was only checking for file not exist rather than lack of permission to read file (or any other error). The combination of these two things means the test wasn't checking what it thought it was checking, and passed more by luck than judgment. * add getYamlFilesFromDir * add getTestYamlFiles and test * docs: Update master / node help text * return path + filename from getYamlFilesFromDir * subcommand run to run specific section files
2019-12-02 15:40:44 +00:00
if len(yamlFiles) == 0 {
yamlFiles, err = getYamlFilesFromDir(configFileDirectory)
if err != nil {
return nil, err
}
}
return yamlFiles, err
}
Fixes Issue #494 - add tests for CIS 1.5 (#530) * Initial commit. * Add master and node config. * Add section 5 of CIS 1.5.1. * Split sections into section files * Fix YAML issues. * adds target translation * adds target translation * adds cis-1.5 mapping * fixed tests * fixes are per PR * fixed intergration test * integration kind test file to appropriate ks8 version * fixed etcd text * fixed README * fixed text * etcd: fixed grep path * etcd: fixes * fixed error message bug * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * Update README.md Co-Authored-By: Liz Rice <liz@lizrice.com> * fixes as per PR review
2019-12-05 20:55:44 +00:00
func translate(target string) string {
return strings.Replace(strings.ToLower(target), "worker", "node", -1)
}
Reference in New Issue Copy Permalink