arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-07-08 15:48:18 +00:00
Code Issues Releases Wiki Activity

Merge branch 'main' into kb-cis-support-rancher

Browse Source
This commit is contained in:
Kiran Bodipi 2023-11-02 16:57:30 +05:30 committed by Kiran Bodipi
commit 7eb142f5e7
11 changed files with 29 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View File

@ -95,7 +95,7 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Dry-run release snapshot - name: Dry-run release snapshot
uses: goreleaser/goreleaser-action@v4 uses: goreleaser/goreleaser-action@v5
with: with:
distribution: goreleaser distribution: goreleaser
version: v1.7.0 version: v1.7.0

10
.github/workflows/publish.yml vendored
View File

@ -17,7 +17,7 @@ jobs:
- name: Check Out Repo - name: Check Out Repo
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v2 uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx - name: Set up Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@v2
@ -41,7 +41,7 @@ jobs:
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }} password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Get version - name: Get version
id: get_version id: get_version
uses: crazy-max/ghaction-docker-meta@v4 uses: crazy-max/ghaction-docker-meta@v5
with: with:
images: ${{ env.REP }} images: ${{ env.REP }}
tag-semver: | tag-semver: |
@ -49,7 +49,7 @@ jobs:
- name: Build and push - Docker/ECR - name: Build and push - Docker/ECR
id: docker_build id: docker_build
uses: docker/build-push-action@v4 uses: docker/build-push-action@v5
with: with:
context: . context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@ -67,7 +67,7 @@ jobs:
- name: Build and push ubi image - Docker/ECR - name: Build and push ubi image - Docker/ECR
id: docker_build_ubi id: docker_build_ubi
uses: docker/build-push-action@v4 uses: docker/build-push-action@v5
with: with:
context: . context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@ -86,7 +86,7 @@ jobs:
- name: Build and push fips ubi image - Docker/ECR - name: Build and push fips ubi image - Docker/ECR
id: docker_build_fips_ubi id: docker_build_fips_ubi
uses: docker/build-push-action@v4 uses: docker/build-push-action@v5
with: with:
context: . context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x

2
.github/workflows/release.yml vendored
View File

@ -44,7 +44,7 @@ jobs:
second_file_path: integration/testdata/Expected_output.data second_file_path: integration/testdata/Expected_output.data
expected_result: PASSED expected_result: PASSED
- name: Release - name: Release
uses: goreleaser/goreleaser-action@v4 uses: goreleaser/goreleaser-action@v5
with: with:
distribution: goreleaser distribution: goreleaser
version: v1.7.0 version: v1.7.0

4
Dockerfile
View File

@ -1,4 +1,4 @@
FROM golang:1.20.6 AS build FROM golang:1.21.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/ WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile COPY makefile makefile
COPY go.mod go.sum ./ COPY go.mod go.sum ./
@ -9,7 +9,7 @@ COPY internal/ internal/
ARG KUBEBENCH_VERSION ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench RUN make build && cp kube-bench /go/bin/kube-bench
FROM alpine:3.18.2 AS run FROM alpine:3.18.3 AS run
WORKDIR /opt/kube-bench/ WORKDIR /opt/kube-bench/
# add GNU ps for -C, -o cmd, and --no-headers support # add GNU ps for -C, -o cmd, and --no-headers support
# https://github.com/aquasecurity/kube-bench/issues/109 # https://github.com/aquasecurity/kube-bench/issues/109

2
Dockerfile.fips.ubi
View File

@ -1,4 +1,4 @@
FROM golang:1.20.6 AS build FROM golang:1.21.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/ WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile COPY makefile makefile
COPY go.mod go.sum ./ COPY go.mod go.sum ./

2
Dockerfile.ubi
View File

@ -1,4 +1,4 @@
FROM golang:1.20.6 AS build FROM golang:1.21.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/ WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile COPY makefile makefile
COPY go.mod go.sum ./ COPY go.mod go.sum ./

7
README.md
View File

@ -24,7 +24,12 @@ Tests are configured with YAML files, making this tool easy to update as test sp
![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security") ![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security")
### Quick start ## CIS Scanning as part of Trivy and the Trivy Operator
[Trivy](https://github.com/aquasecurity/trivy), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/aquasecurity/trivy-operator) inside a cluster.
Both, the [Trivy CLI](https://github.com/aquasecurity/trivy), and the [Trivy Operator](https://github.com/aquasecurity/trivy-operator) support CIS Kubernetes Benchmark scanning among several other features.
## Quick start
There are multiple ways to run kube-bench. There are multiple ways to run kube-bench.
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.

6
cmd/util.go
View File

@ -296,11 +296,15 @@ Alternatively, you can specify the version with --version
func getKubeVersion() (*KubeVersion, error) { func getKubeVersion() (*KubeVersion, error) {
kubeConfig, err := rest.InClusterConfig() kubeConfig, err := rest.InClusterConfig()
isRKE := false
if kubeConfig != nil {
k8sClient, err := kubernetes.NewForConfig(kubeConfig) k8sClient, err := kubernetes.NewForConfig(kubeConfig)
isRKE, err := providers.IsRKE(context.Background(), k8sClient) isRKE, err = providers.IsRKE(context.Background(), k8sClient)
if err != nil { if err != nil {
glog.V(3).Infof("Error detecting RKE cluster: %s", err) glog.V(3).Infof("Error detecting RKE cluster: %s", err)
} }
}
if k8sVer, err := getKubeVersionFromRESTAPI(); err == nil { if k8sVer, err := getKubeVersionFromRESTAPI(); err == nil {
glog.V(2).Info(fmt.Sprintf("Kubernetes REST API Reported version: %s", k8sVer)) glog.V(2).Info(fmt.Sprintf("Kubernetes REST API Reported version: %s", k8sVer))

2
go.mod
View File

@ -7,7 +7,7 @@ require (
github.com/aws/aws-sdk-go-v2/config v1.18.4 github.com/aws/aws-sdk-go-v2/config v1.18.4
github.com/aws/aws-sdk-go-v2/service/securityhub v1.29.1 github.com/aws/aws-sdk-go-v2/service/securityhub v1.29.1
github.com/fatih/color v1.14.1 github.com/fatih/color v1.14.1
github.com/golang/glog v1.0.0 github.com/golang/glog v1.1.2
github.com/magiconair/properties v1.8.7 github.com/magiconair/properties v1.8.7
github.com/onsi/ginkgo v1.16.5 github.com/onsi/ginkgo v1.16.5
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1

4
go.sum
View File

@ -137,8 +137,8 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo=
github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

2
job.yaml
View File

@ -11,7 +11,7 @@ spec:
spec: spec:
containers: containers:
- command: ["kube-bench"] - command: ["kube-bench"]
image: docker.io/aquasec/kube-bench:v0.6.17 image: docker.io/aquasec/kube-bench:v0.6.19
name: kube-bench name: kube-bench
volumeMounts: volumeMounts:
- mountPath: /var/lib/etcd - mountPath: /var/lib/etcd