Support Linting YAML as part of Travis CI build (#554)

* add yamllint command to travis CI installs and runs a linter across the YAML in the project to ensure consistency in the written YAML. this uses yamllint and the default yamllint config with "truthy" and "line-length" disabled. * run dos2unix on CRLF files * YAMLLINT: remove trailing spaces * YAMLLint: add YAML document start * YAMLLint: too many spaces around bracket * YAMLLint: fix indentation * YAMLLint: remove duplicate key * YAMLLint: newline at end of file * YAMLLint: Too few spaces after comma * YAMLLint: too many spaces after colon
4 years ago · 5f34058dc7
parent dc14cb14b0
commit 5f34058dc7
28 changed files with 8076 additions and 8062 deletions
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,3 +1,4 @@
+---
 env:
  - GO111MODULE=on
  - KUBEBENCH_CFG=/etc/kube-bench/cfg
--- a/.travis.yml
+++ b/.travis.yml
@ -10,10 +10,12 @@ notifications:
 before_install:
  - sudo apt-get -qq update
  - sudo apt-get install -y rpm
+  - pip install --user yamllint==1.18.0
  - gem install --no-ri --no-rdoc fpm
  - go get -t -v ./...

 script:
+  - yamllint -c ./.yamllint.yaml .
  - GO111MODULE=on go test ./...
  - IMAGE_NAME=kube-bench make build-docker
  - docker run -v `pwd`:/host kube-bench install
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@ -0,0 +1,6 @@
+---
+extends: default
+
+rules:
+  line-length: disable
+  truthy: disable
--- a/cfg/cis-1.3/master.yaml
+++ b/cfg/cis-1.3/master.yaml
@ -5,7 +5,7 @@ id: 1
 text: "Master Node Security Configuration"
 type: "master"
 groups:
- id: 1.1
+  - id: 1.1
    text: "API Server"
    checks:
      - id: 1.1.1
@ -682,7 +682,7 @@ groups:
          --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
        scored: false

- id: 1.2
+  - id: 1.2
    text: "Scheduler"
    checks:
      - id: 1.2.1
@ -720,7 +720,7 @@ groups:
          --address parameter.
        scored: true

- id: 1.3
+  - id: 1.3
    text: "Controller Manager"
    checks:
      - id: 1.3.1
@ -832,7 +832,7 @@ groups:
          for the --address parameter.
        scored: true

- id: 1.4
+  - id: 1.4
    text: "Configuration Files"
    checks:
      - id: 1.4.1
@ -1200,7 +1200,7 @@ groups:
          master node. For example, chown root:root /etc/kubernetes/controller-manager.conf
        scored: true

- id: 1.5
+  - id: 1.5
    text: "etcd"
    checks:
      - id: 1.5.1
@ -1325,7 +1325,7 @@ groups:
          --trusted-ca-file=</path/to/ca-file>
        scored: false

- id: 1.6
+  - id: 1.6
    text: "General Security Primitives"
    checks:
      - id: 1.6.1
@ -1425,7 +1425,7 @@ groups:
          Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
        scored: false

- id: 1.7
+  - id: 1.7
    text: "PodSecurityPolicies"
    checks:
      - id: 1.7.1
--- a/cfg/cis-1.3/node.yaml
+++ b/cfg/cis-1.3/node.yaml
@ -5,7 +5,7 @@ id: "2"
 text: Worker Node Security Configuration
 type: "node"
 groups:
- id: "2.1"
+  - id: "2.1"
    text: Kubelet
    checks:
      - id: 2.1.1
@ -353,7 +353,7 @@ groups:
          --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
        scored: false

- id: "2.2"
+  - id: "2.2"
    text: Configuration Files
    checks:
      - id: 2.2.1
--- a/cfg/cis-1.4/master.yaml
+++ b/cfg/cis-1.4/master.yaml
@ -5,7 +5,7 @@ id: 1
 text: "Master Node Security Configuration"
 type: "master"
 groups:
- id: 1.1
+  - id: 1.1
    text: "API Server"
    checks:
      - id: 1.1.1
@ -684,7 +684,7 @@ groups:
          Edit the API server pod specification file $apiserverbin on the master node and set the --authorization-mode parameter to a value that includes RBAC, for example: --authorization-mode=Node,RBAC
        scored: true

- id: 1.2
+  - id: 1.2
    text: "Scheduler"
    checks:
      - id: 1.2.1
@ -722,7 +722,7 @@ groups:
          --address parameter.
        scored: true

- id: 1.3
+  - id: 1.3
    text: "Controller Manager"
    checks:
      - id: 1.3.1
@ -834,7 +834,7 @@ groups:
          for the --address parameter.
        scored: true

- id: 1.4
+  - id: 1.4
    text: "Configuration Files"
    checks:
      - id: 1.4.1
@ -1264,7 +1264,7 @@ groups:
          For example, chmod -R 600 /etc/kubernetes/pki/*.key
        scored: true

- id: 1.5
+  - id: 1.5
    text: "etcd"
    checks:
      - id: 1.5.1
@ -1389,7 +1389,7 @@ groups:
          --trusted-ca-file=</path/to/ca-file>
        scored: false

- id: 1.6
+  - id: 1.6
    text: "General Security Primitives"
    checks:
      - id: 1.6.1
@ -1489,7 +1489,7 @@ groups:
          Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
        scored: false

- id: 1.7
+  - id: 1.7
    text: "PodSecurityPolicies"
    checks:
      - id: 1.7.1
--- a/cfg/cis-1.4/node.yaml
+++ b/cfg/cis-1.4/node.yaml
@ -5,7 +5,7 @@ id: "2"
 text: Worker Node Security Configuration
 type: "node"
 groups:
- id: "2.1"
+  - id: "2.1"
    text: Kubelet
    checks:
      - id: 2.1.1
@ -336,7 +336,7 @@ groups:
          --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
        scored: false

- id: "2.2"
+  - id: "2.2"
    text: Configuration Files
    checks:
      - id: 2.2.1
--- a/cfg/cis-1.5/controlplane.yaml
+++ b/cfg/cis-1.5/controlplane.yaml
@ -5,7 +5,7 @@ id: 3
 text: "Control Plane Configuration"
 type: "controlplane"
 groups:
- id: 3.1
+  - id: 3.1
    text: "Authentication and Authorization"
    checks:
      - id: 3.1.1
@ -16,7 +16,7 @@ groups:
          implemented in place of client certificates.
        scored: false

- id: 3.2
+  - id: 3.2
    text: "Logging"
    checks:
      - id: 3.2.1
--- a/cfg/cis-1.5/etcd.yaml
+++ b/cfg/cis-1.5/etcd.yaml
@ -5,7 +5,7 @@ id: 2
 text: "Etcd Node Configuration"
 type: "etcd"
 groups:
- id: 2
+  - id: 2
    text: "Etcd Node Configuration Files"
    checks:
      - id: 2.1
--- a/cfg/cis-1.5/master.yaml
+++ b/cfg/cis-1.5/master.yaml
@ -5,7 +5,7 @@ id: 1
 text: "Master Node Security Configuration"
 type: "master"
 groups:
- id: 1.1
+  - id: 1.1
    text: "Master Node Configuration Files "
    checks:
      - id: 1.1.1
@ -391,7 +391,7 @@ groups:
          chmod -R 600 /etc/kubernetes/pki/*.key
        scored: true

- id: 1.2
+  - id: 1.2
    text: "API Server"
    checks:
      - id: 1.2.1
@ -966,7 +966,7 @@ groups:
          --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        scored: false

- id: 1.3
+  - id: 1.3
    text: "Controller Manager"
    checks:
      - id: 1.3.1
@ -1076,7 +1076,7 @@ groups:
          on the master node and ensure the correct value for the --bind-address parameter
        scored: true

- id: 1.4
+  - id: 1.4
    text: "Scheduler"
    checks:
      - id: 1.4.1
--- a/cfg/cis-1.5/node.yaml
+++ b/cfg/cis-1.5/node.yaml
@ -5,7 +5,7 @@ id: 4
 text: "Worker Node Security Configuration"
 type: "node"
 groups:
- id: 4.1
+  - id: 4.1
    text: "Worker Node Configuration Files"
    checks:
      - id: 4.1.1
@ -191,7 +191,7 @@ groups:
          chown root:root $kubeletconf
        scored: true

- id: 4.2
+  - id: 4.2
    text: "Kubelet"
    checks:
      - id: 4.2.1
--- a/cfg/cis-1.5/policies.yaml
+++ b/cfg/cis-1.5/policies.yaml
@ -5,7 +5,7 @@ id: 5
 text: "Kubernetes Policies"
 type: "policies"
 groups:
- id: 5.1
+  - id: 5.1
    text: "RBAC and Service Accounts"
    checks:
      - id: 5.1.1
@ -59,7 +59,7 @@ groups:
          account tokens to disable it.
        scored: false

- id: 5.2
+  - id: 5.2
    text: "Pod Security Policies"
    checks:
      - id: 5.2.1
@ -136,7 +136,7 @@ groups:
          a PSP which forbids the admission of containers which do not drop all capabilities.
        scored: false

- id: 5.3
+  - id: 5.3
    text: "Network Policies and CNI"
    checks:
      - id: 5.3.1
@ -155,7 +155,7 @@ groups:
          Follow the documentation and create NetworkPolicy objects as you need them.
        scored: true

- id: 5.4
+  - id: 5.4
    text: "Secrets Management"
    checks:
      - id: 5.4.1
@ -174,7 +174,7 @@ groups:
          secrets management solution.
        scored: false

- id: 5.5
+  - id: 5.5
    text: "Extensible Admission Control"
    checks:
      - id: 5.5.1
@ -184,7 +184,7 @@ groups:
          Follow the Kubernetes documentation and setup image provenance.
        scored: false

- id: 5.6
+  - id: 5.6
    text: "General Policies"
    checks:
      - id: 5.6.1
--- a/cfg/rh-0.7/master.yaml
+++ b/cfg/rh-0.7/master.yaml
@ -6,7 +6,7 @@ text: "Securing the OpenShift Master"
 type: "master"
 groups:

- id: 1
+  - id: 1
    text: "Protecting the API Server"
    checks:
      - id: 1.1
@ -682,7 +682,7 @@ groups:
        scored: true


- id: 2
+  - id: 2
    text: "Scheduler"
    checks:
      - id: 2.1
@ -691,7 +691,7 @@ groups:
        scored: true


- id: 3
+  - id: 3
    text: "Controller Manager"
    checks:
      - id: 3.1
@ -774,7 +774,6 @@ groups:
                op: has
                value: "/etc/origin/master/ca-bundle.crt"
              set: true
-      test_items:
            - flag: "masterCA"
              compare:
                op: has
@ -811,7 +810,7 @@ groups:
        scored: true


- id: 4
+  - id: 4
    text: "Configuration Files"
    checks:
      - id: 4.1
@ -1149,7 +1148,7 @@ groups:
        scored: true


- id: 5
+  - id: 5
    text: "Etcd"
    checks:
      - id: 5.1
@ -1307,7 +1306,7 @@ groups:
        scored: false


- id: 6
+  - id: 6
    text: "General Security Primitives"
    checks:
      - id: 6.1
--- a/cfg/rh-0.7/node.yaml
+++ b/cfg/rh-0.7/node.yaml
@ -4,7 +4,7 @@ id: 2
 text: "Worker Node Security Configuration"
 type: "node"
 groups:
- id: 7
+  - id: 7
    text: "Kubelet"
    checks:
      - id: 7.1
@ -208,7 +208,7 @@ groups:
        scored: true


- id: 8
+  - id: 8
    text: "Configuration Files"
    checks:
      - id: 8.1
--- a/hack/debug.yaml
+++ b/hack/debug.yaml
@ -1,3 +1,4 @@
+---
 # use this pod with: kubectl run ubuntu -it --pid=host  -- /bin/bash
 # this allows you to debug what is running on the host.
 apiVersion: v1
@ -9,8 +10,8 @@ spec:
  containers:
    - name: ubuntu
      image: ubuntu
-    command: [ "/bin/bash", "-c", "--" ]
-    args: [ "while true; do sleep 30; done;" ]
+      command: ["/bin/bash", "-c", "--"]
+      args: ["while true; do sleep 30; done;"]
      volumeMounts:
        - name: var-lib-kubelet
          mountPath: /var/lib/kubelet
--- a/hack/kind.yaml
+++ b/hack/kind.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
--- a/integration/testdata/add-tls-kind-k8s114.yaml
+++ b/integration/testdata/add-tls-kind-k8s114.yaml
@ -1,10 +1,11 @@
+---
 apiVersion: kind.sigs.k8s.io/v1alpha3
 kind: Cluster
 networking:
  apiServerAddress: "0.0.0.0"

 kubeadmConfigPatchesJson6902:
- group: kubelet.config.k8s.io
+  - group: kubelet.config.k8s.io
    version: v1beta1
    kind: KubeletConfiguration
    patch: |
@ -13,7 +14,6 @@ kubeadmConfigPatchesJson6902:
        value: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]

 nodes:
-# the control plane node config
- role: control-plane
+  # the control plane node config
+  - role: control-plane
    image: "kindest/node:v1.14.6"
-  
--- a/job-eks.yaml
+++ b/job-eks.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@ -29,4 +30,3 @@ spec:
        - name: etc-kubernetes
          hostPath:
            path: "/etc/kubernetes"
-
--- a/job-iks.yaml
+++ b/job-iks.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
--- a/job-master.yaml
+++ b/job-master.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@ -15,7 +16,7 @@ spec:
      containers:
        - name: kube-bench
          image: aquasec/kube-bench:latest
-        command: ["kube-bench","master"]
+          command: ["kube-bench", "master"]
          volumeMounts:
            - name: var-lib-etcd
              mountPath: /var/lib/etcd
--- a/job-node.yaml
+++ b/job-node.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@ -9,7 +10,7 @@ spec:
      containers:
        - name: kube-bench
          image: aquasec/kube-bench:latest
-        command: ["kube-bench","node"]
+          command: ["kube-bench", "node"]
          volumeMounts:
            - name: var-lib-kubelet
              mountPath: /var/lib/kubelet
--- a/job.yaml
+++ b/job.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata: