arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-05-22 16:58:53 +00:00
Code Issues Releases Wiki Activity

Support Linting YAML as part of Travis CI build (#554)

Browse Source 
* add yamllint command to travis CI

installs and runs a linter across the YAML in the
project to ensure consistency in the written YAML.

this uses yamllint and the default yamllint config with
"truthy" and "line-length" disabled.

* run dos2unix on CRLF files

* YAMLLINT: remove trailing spaces

* YAMLLint: add YAML document start

* YAMLLint: too many spaces around bracket

* YAMLLint: fix indentation

* YAMLLint: remove duplicate key

* YAMLLint: newline at end of file

* YAMLLint: Too few spaces after comma

* YAMLLint: too many spaces after colon
This commit is contained in:
James Ward 2020-01-06 04:18:25 -05:00 committed by Liz Rice
parent dc14cb14b0
commit 5f34058dc7
28 changed files with 8006 additions and 7992 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.goreleaser.yml
View File

@ -1,3 +1,4 @@
---
env:
- GO111MODULE=on
- KUBEBENCH_CFG=/etc/kube-bench/cfg

2
.travis.yml
View File

@ -10,10 +10,12 @@ notifications:
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y rpm
- pip install --user yamllint==1.18.0
- gem install --no-ri --no-rdoc fpm
- go get -t -v ./...
script:
- yamllint -c ./.yamllint.yaml .
- GO111MODULE=on go test ./...
- IMAGE_NAME=kube-bench make build-docker
- docker run -v `pwd`:/host kube-bench install

6
.yamllint.yaml Normal file
View File

@ -0,0 +1,6 @@
---
extends: default
rules:
line-length: disable
truthy: disable

14
cfg/cis-1.3/master.yaml
View File

@ -5,7 +5,7 @@ id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
- id: 1.1
text: "API Server"
checks:
- id: 1.1.1
@ -682,7 +682,7 @@ groups:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 1.2
- id: 1.2
text: "Scheduler"
checks:
- id: 1.2.1
@ -720,7 +720,7 @@ groups:
--address parameter.
scored: true
- id: 1.3
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
@ -832,7 +832,7 @@ groups:
for the --address parameter.
scored: true
- id: 1.4
- id: 1.4
text: "Configuration Files"
checks:
- id: 1.4.1
@ -1200,7 +1200,7 @@ groups:
master node. For example, chown root:root /etc/kubernetes/controller-manager.conf
scored: true
- id: 1.5
- id: 1.5
text: "etcd"
checks:
- id: 1.5.1
@ -1325,7 +1325,7 @@ groups:
--trusted-ca-file=</path/to/ca-file>
scored: false
- id: 1.6
- id: 1.6
text: "General Security Primitives"
checks:
- id: 1.6.1
@ -1425,7 +1425,7 @@ groups:
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false
- id: 1.7
- id: 1.7
text: "PodSecurityPolicies"
checks:
- id: 1.7.1

4
cfg/cis-1.3/node.yaml
View File

@ -5,7 +5,7 @@ id: "2"
text: Worker Node Security Configuration
type: "node"
groups:
- id: "2.1"
- id: "2.1"
text: Kubelet
checks:
- id: 2.1.1
@ -353,7 +353,7 @@ groups:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: "2.2"
- id: "2.2"
text: Configuration Files
checks:
- id: 2.2.1

14
cfg/cis-1.4/master.yaml
View File

@ -5,7 +5,7 @@ id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
- id: 1.1
text: "API Server"
checks:
- id: 1.1.1
@ -684,7 +684,7 @@ groups:
Edit the API server pod specification file $apiserverbin on the master node and set the --authorization-mode parameter to a value that includes RBAC, for example: --authorization-mode=Node,RBAC
scored: true
- id: 1.2
- id: 1.2
text: "Scheduler"
checks:
- id: 1.2.1
@ -722,7 +722,7 @@ groups:
--address parameter.
scored: true
- id: 1.3
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
@ -834,7 +834,7 @@ groups:
for the --address parameter.
scored: true
- id: 1.4
- id: 1.4
text: "Configuration Files"
checks:
- id: 1.4.1
@ -1264,7 +1264,7 @@ groups:
For example, chmod -R 600 /etc/kubernetes/pki/*.key
scored: true
- id: 1.5
- id: 1.5
text: "etcd"
checks:
- id: 1.5.1
@ -1389,7 +1389,7 @@ groups:
--trusted-ca-file=</path/to/ca-file>
scored: false
- id: 1.6
- id: 1.6
text: "General Security Primitives"
checks:
- id: 1.6.1
@ -1489,7 +1489,7 @@ groups:
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false
- id: 1.7
- id: 1.7
text: "PodSecurityPolicies"
checks:
- id: 1.7.1

4
cfg/cis-1.4/node.yaml
View File

@ -5,7 +5,7 @@ id: "2"
text: Worker Node Security Configuration
type: "node"
groups:
- id: "2.1"
- id: "2.1"
text: Kubelet
checks:
- id: 2.1.1
@ -336,7 +336,7 @@ groups:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: "2.2"
- id: "2.2"
text: Configuration Files
checks:
- id: 2.2.1

4
cfg/cis-1.5/controlplane.yaml
View File

@ -5,7 +5,7 @@ id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
@ -16,7 +16,7 @@ groups:
implemented in place of client certificates.
scored: false
- id: 3.2
- id: 3.2
text: "Logging"
checks:
- id: 3.2.1

2
cfg/cis-1.5/etcd.yaml
View File

@ -5,7 +5,7 @@ id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 2
- id: 2
text: "Etcd Node Configuration Files"
checks:
- id: 2.1

8
cfg/cis-1.5/master.yaml
View File

@ -5,7 +5,7 @@ id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
- id: 1.1
text: "Master Node Configuration Files "
checks:
- id: 1.1.1
@ -391,7 +391,7 @@ groups:
chmod -R 600 /etc/kubernetes/pki/*.key
scored: true
- id: 1.2
- id: 1.2
text: "API Server"
checks:
- id: 1.2.1
@ -966,7 +966,7 @@ groups:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
scored: false
- id: 1.3
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
@ -1076,7 +1076,7 @@ groups:
on the master node and ensure the correct value for the --bind-address parameter
scored: true
- id: 1.4
- id: 1.4
text: "Scheduler"
checks:
- id: 1.4.1

4
cfg/cis-1.5/node.yaml
View File

@ -5,7 +5,7 @@ id: 4
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 4.1
- id: 4.1
text: "Worker Node Configuration Files"
checks:
- id: 4.1.1
@ -191,7 +191,7 @@ groups:
chown root:root $kubeletconf
scored: true
- id: 4.2
- id: 4.2
text: "Kubelet"
checks:
- id: 4.2.1

12
cfg/cis-1.5/policies.yaml
View File

@ -5,7 +5,7 @@ id: 5
text: "Kubernetes Policies"
type: "policies"
groups:
- id: 5.1
- id: 5.1
text: "RBAC and Service Accounts"
checks:
- id: 5.1.1
@ -59,7 +59,7 @@ groups:
account tokens to disable it.
scored: false
- id: 5.2
- id: 5.2
text: "Pod Security Policies"
checks:
- id: 5.2.1
@ -136,7 +136,7 @@ groups:
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 5.3
- id: 5.3
text: "Network Policies and CNI"
checks:
- id: 5.3.1
@ -155,7 +155,7 @@ groups:
Follow the documentation and create NetworkPolicy objects as you need them.
scored: true
- id: 5.4
- id: 5.4
text: "Secrets Management"
checks:
- id: 5.4.1
@ -174,7 +174,7 @@ groups:
secrets management solution.
scored: false
- id: 5.5
- id: 5.5
text: "Extensible Admission Control"
checks:
- id: 5.5.1
@ -184,7 +184,7 @@ groups:
Follow the Kubernetes documentation and setup image provenance.
scored: false
- id: 5.6
- id: 5.6
text: "General Policies"
checks:
- id: 5.6.1

13
cfg/rh-0.7/master.yaml
View File

@ -6,7 +6,7 @@ text: "Securing the OpenShift Master"
type: "master"
groups:
- id: 1
- id: 1
text: "Protecting the API Server"
checks:
- id: 1.1
@ -682,7 +682,7 @@ groups:
scored: true
- id: 2
- id: 2
text: "Scheduler"
checks:
- id: 2.1
@ -691,7 +691,7 @@ groups:
scored: true
- id: 3
- id: 3
text: "Controller Manager"
checks:
- id: 3.1
@ -774,7 +774,6 @@ groups:
op: has
value: "/etc/origin/master/ca-bundle.crt"
set: true
test_items:
- flag: "masterCA"
compare:
op: has
@ -811,7 +810,7 @@ groups:
scored: true
- id: 4
- id: 4
text: "Configuration Files"
checks:
- id: 4.1
@ -1149,7 +1148,7 @@ groups:
scored: true
- id: 5
- id: 5
text: "Etcd"
checks:
- id: 5.1
@ -1307,7 +1306,7 @@ groups:
scored: false
- id: 6
- id: 6
text: "General Security Primitives"
checks:
- id: 6.1

4
cfg/rh-0.7/node.yaml
View File

@ -4,7 +4,7 @@ id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 7
- id: 7
text: "Kubelet"
checks:
- id: 7.1
@ -208,7 +208,7 @@ groups:
scored: true
- id: 8
- id: 8
text: "Configuration Files"
checks:
- id: 8.1

5
hack/debug.yaml
View File

@ -1,3 +1,4 @@
---
# use this pod with: kubectl run ubuntu -it --pid=host -- /bin/bash
# this allows you to debug what is running on the host.
apiVersion: v1
@ -9,8 +10,8 @@ spec:
containers:
- name: ubuntu
image: ubuntu
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
command: ["/bin/bash", "-c", "--"]
args: ["while true; do sleep 30; done;"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet

1
hack/kind.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1
kind: Job
metadata:

8
integration/testdata/add-tls-kind-k8s114.yaml vendored
View File

@ -1,10 +1,11 @@
---
apiVersion: kind.sigs.k8s.io/v1alpha3
kind: Cluster
networking:
apiServerAddress: "0.0.0.0"
kubeadmConfigPatchesJson6902:
- group: kubelet.config.k8s.io
- group: kubelet.config.k8s.io
version: v1beta1
kind: KubeletConfiguration
patch: |
@ -13,7 +14,6 @@ kubeadmConfigPatchesJson6902:
value: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
nodes:
# the control plane node config
- role: control-plane
# the control plane node config
- role: control-plane
image: "kindest/node:v1.14.6"

2
job-eks.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1
kind: Job
metadata:
@ -29,4 +30,3 @@ spec:
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"

1
job-iks.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1
kind: Job
metadata:

3
job-master.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1
kind: Job
metadata:
@ -15,7 +16,7 @@ spec:
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench","master"]
command: ["kube-bench", "master"]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd

3
job-node.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1
kind: Job
metadata:
@ -9,7 +10,7 @@ spec:
containers:
- name: kube-bench
image: aquasec/kube-bench:latest
command: ["kube-bench","node"]
command: ["kube-bench", "node"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet

1
job.yaml
View File

@ -1,3 +1,4 @@
---
apiVersion: batch/v1
kind: Job
metadata: