Fixes Issue #535 (#537)

* isEtcd should not run on openshift 3.10/3.11 * adds openssl * fixed tests * fixes bugs * adds isEtcd tests
4 years ago · 13193d75b0
parent 62af68f3f5
commit 13193d75b0
7 changed files with 103 additions and 11 deletions
--- a/5
+++ b/5
@ -12,6 +12,11 @@ WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, and --no-headers support
 # https://github.com/aquasecurity/kube-bench/issues/109
 RUN apk --no-cache add procps
+
+# Openssl is used by OpenShift tests
+# https://github.com/aquasecurity/kube-bench/issues/535
+RUN apk --no-cache add openssl
+
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
 COPY entrypoint.sh .
 COPY cfg/ cfg/
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@ -25,7 +25,6 @@ master:
      - "hyperkube apiserver"
      - "hyperkube kube-apiserver"
      - "apiserver"
-      - "openshift start master api"
    confs:
      - /etc/kubernetes/manifests/kube-apiserver.yaml
      - /etc/kubernetes/manifests/kube-apiserver.manifest
@ -38,7 +37,6 @@ master:
      - "hyperkube scheduler"
      - "hyperkube kube-scheduler"
      - "scheduler"
-      - "openshift start master controllers"
    confs:
      - /etc/kubernetes/manifests/kube-scheduler.yaml
      - /etc/kubernetes/manifests/kube-scheduler.manifest
@ -52,7 +50,6 @@ master:
      - "hyperkube controller-manager"
      - "hyperkube kube-controller-manager"
      - "controller-manager"
-      - "openshift start master controllers"
    confs:
      - /etc/kubernetes/manifests/kube-controller-manager.yaml
      - /etc/kubernetes/manifests/kube-controller-manager.manifest
--- a/cfg/node_only.yaml
+++ b/cfg/node_only.yaml
@ -59,4 +59,15 @@ node:
    svc:
      - "/lib/systemd/system/kube-proxy.service"
    defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
-    defaultkubeconfig: "/etc/kubernetes/proxy.conf"
+    defaultkubeconfig: "/etc/kubernetes/proxy.conf"
+
+version_mapping:
+  "1.11": "cis-1.3"
+  "1.12": "cis-1.3"
+  "1.13": "cis-1.4"
+  "1.14": "cis-1.4"
+  "1.15": "cis-1.5"
+  "1.16": "cis-1.5"
+  "1.17": "cis-1.5"
+  "ocp-3.10": "rh-0.7"
+  "ocp-3.11": "rh-0.7"
--- a/cfg/rh-0.7/config.yaml
+++ b/cfg/rh-0.7/config.yaml
@ -10,12 +10,14 @@ master:
  scheduler:
    bins:
      - "openshift start master controllers"
+      - "hyperkube kube-scheduler"
    confs:
      - /etc/origin/master/scheduler.json

  controllermanager:
    bins:
      - "openshift start master controllers"
+      - "hypershift openshift-controller-manager"

  etcd:
    bins:
--- a/cmd/common.go
+++ b/cmd/common.go
@ -319,6 +319,7 @@ func getBenchmarkVersion(kubeVersion, benchmarkVersion string, v *viper.Viper) (

 // isMaster verify if master components are running on the node.
 func isMaster() bool {
+	loadConfig(check.MASTER)
 	return isThisNodeRunning(check.MASTER)
 }

--- a/cmd/common_test.go
+++ b/cmd/common_test.go
@ -155,6 +155,20 @@ func TestIsMaster(t *testing.T) {
 			isMaster: false,
 		},
 	}
+	cfgDirOld := cfgDir
+	cfgDir = "../cfg"
+	defer func() {
+		cfgDir = cfgDirOld
+	}()
+
+	execCode := `#!/bin/sh
+	echo "Server Version: v1.13.10"
+	`
+	restore, err := fakeExecutableInPath("kubectl", execCode)
+	if err != nil {
+		t.Fatal("Failed when calling fakeExecutableInPath ", err)
+	}
+	defer restore()

 	for _, tc := range testCases {
 		cfgFile = tc.cfgFile
@ -386,6 +400,73 @@ func TestValidTargets(t *testing.T) {
 	}
 }

+func TestIsEtcd(t *testing.T) {
+	testCases := []struct {
+		name            string
+		cfgFile         string
+		getBinariesFunc func(*viper.Viper, check.NodeType) (map[string]string, error)
+		isEtcd          bool
+	}{
+		{
+			name:    "valid config, is etcd and all components are running",
+			cfgFile: "../cfg/config.yaml",
+			getBinariesFunc: func(viper *viper.Viper, nt check.NodeType) (strings map[string]string, i error) {
+				return map[string]string{"etcd": "etcd"}, nil
+			},
+			isEtcd: true,
+		},
+		{
+			name:    "valid config, is etcd and but not all components are running",
+			cfgFile: "../cfg/config.yaml",
+			getBinariesFunc: func(viper *viper.Viper, nt check.NodeType) (strings map[string]string, i error) {
+				return map[string]string{}, nil
+			},
+			isEtcd: false,
+		},
+		{
+			name:    "valid config, is etcd, not all components are running and fails to find all binaries",
+			cfgFile: "../cfg/config.yaml",
+			getBinariesFunc: func(viper *viper.Viper, nt check.NodeType) (strings map[string]string, i error) {
+				return map[string]string{}, errors.New("failed to find binaries")
+			},
+			isEtcd: false,
+		},
+		{
+			name:    "valid config, does not include etcd",
+			cfgFile: "../cfg/node_only.yaml",
+			isEtcd:  false,
+		},
+	}
+	cfgDirOld := cfgDir
+	cfgDir = "../cfg"
+	defer func() {
+		cfgDir = cfgDirOld
+	}()
+
+	execCode := `#!/bin/sh
+	echo "Server Version: v1.15.03"
+	`
+	restore, err := fakeExecutableInPath("kubectl", execCode)
+	if err != nil {
+		t.Fatal("Failed when calling fakeExecutableInPath ", err)
+	}
+	defer restore()
+
+	for _, tc := range testCases {
+		cfgFile = tc.cfgFile
+		initConfig()
+
+		oldGetBinariesFunc := getBinariesFunc
+		getBinariesFunc = tc.getBinariesFunc
+		defer func() {
+			getBinariesFunc = oldGetBinariesFunc
+			cfgFile = ""
+		}()
+
+		assert.Equal(t, tc.isEtcd, isEtcd(), tc.name)
+	}
+}
+
 func loadConfigForTest() (*viper.Viper, error) {
 	viperWithData := viper.New()
 	viperWithData.SetConfigFile(filepath.Join("..", cfgDir, "config.yaml"))
@ -410,11 +491,6 @@ func fakeExecutableInPath(execFile, execCode string) (restoreFn, error) {
 		return nil, err
 	}

-	err = os.Chdir(tmp)
-	if err != nil {
-		return nil, err
-	}
-
 	if len(execCode) > 0 {
 		ioutil.WriteFile(filepath.Join(tmp, execFile), []byte(execCode), 0700)
 	} else {
--- a/cmd/root.go
+++ b/cmd/root.go
@ -64,7 +64,7 @@ var RootCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		benchmarkVersion, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, viper.GetViper())
 		if err != nil {
-			exitWithError(err)
+			exitWithError(fmt.Errorf("unable to determine benchmark version: %v", err))
 		}

 		if isMaster() {
@ -81,7 +81,7 @@ var RootCmd = &cobra.Command{

 		// Etcd is only valid for CIS 1.5 and later,
 		// this a gatekeeper for previous versions.
-		if isEtcd() && validTargets(benchmarkVersion, []string{string(check.ETCD)}) {
+		if validTargets(benchmarkVersion, []string{string(check.ETCD)}) && isEtcd() {
 			glog.V(1).Info("== Running etcd checks ==\n")
 			runChecks(check.ETCD, loadConfig(check.ETCD))
 		}