1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 06:38:06 +00:00

Add detected kubernetes version (#869)

* Add detected kubernetes version to controls

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

New Control function is expecting detected version argument.

* Add detected kube version

* add detecetedKubeVersion

* Add detecetedKubeVersion

* Add detectedKubeVersion

* Add detecetedKubeVersion

* Fix missing version

* Change version

Change version from 3.10 to rh-0.7

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"
This commit is contained in:
Yoav Rotem 2021-05-09 14:48:34 +03:00 committed by GitHub
parent 182e64753e
commit 887965d31f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 73 additions and 65 deletions

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.5
version: "cis-1.5"
id: 3
text: "Control Plane Configuration"
type: "controlplane"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.15
version: "cis-1.5"
id: 2
text: "Etcd Node Configuration"
type: "etcd"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.5
version: "cis-1.5"
id: 1
text: "Master Node Security Configuration"
type: "master"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.5
version: "cis-1.5"
id: 4
text: "Worker Node Security Configuration"
type: "node"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.5
version: "cis-1.5"
id: 5
text: "Kubernetes Policies"
type: "policies"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.6
version: "cis-1.6"
id: 3
text: "Control Plane Configuration"
type: "controlplane"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.6
version: "cis-1.6"
id: 2
text: "Etcd Node Configuration"
type: "etcd"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.6
version: "cis-1.6"
id: 1
text: "Master Node Security Configuration"
type: "master"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.6
version: "cis-1.6"
id: 4
text: "Worker Node Security Configuration"
type: "node"

View File

@ -1,6 +1,6 @@
---
controls:
version: 1.6
version: "cis-1.6"
id: 5
text: "Kubernetes Policies"
type: "policies"

View File

@ -1,6 +1,6 @@
---
controls:
version: 3.10
version: "rh-0.7"
id: 1
text: "Securing the OpenShift Master"
type: "master"

View File

@ -1,5 +1,6 @@
---
controls:
version: "rh-0.7"
id: 2
text: "Worker Node Security Configuration"
type: "node"

View File

@ -47,11 +47,12 @@ type OverallControls struct {
// Controls holds all controls to check for master nodes.
type Controls struct {
ID string `yaml:"id" json:"id"`
Version string `json:"version"`
Text string `json:"text"`
Type NodeType `json:"node_type"`
Groups []*Group `json:"tests"`
ID string `yaml:"id" json:"id"`
Version string `json:"version"`
DetectedVersion string `json:"detected_version,omitempty"`
Text string `json:"text"`
Type NodeType `json:"node_type"`
Groups []*Group `json:"tests"`
Summary
}
@ -79,7 +80,7 @@ type Summary struct {
type Predicate func(group *Group, check *Check) bool
// NewControls instantiates a new master Controls object.
func NewControls(t NodeType, in []byte) (*Controls, error) {
func NewControls(t NodeType, in []byte, detectedVersion string) (*Controls, error) {
c := new(Controls)
err := yaml.Unmarshal(in, c)
@ -90,7 +91,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
if t != c.Type {
return nil, fmt.Errorf("non-%s controls file specified", t)
}
c.DetectedVersion = detectedVersion
return c, nil
}

View File

@ -83,7 +83,7 @@ type: # not specified
groups:
`)
// when
_, err := NewControls(MASTER, in)
_, err := NewControls(MASTER, in, "")
// then
assert.EqualError(t, err, "non-master controls file specified")
})
@ -92,7 +92,7 @@ groups:
// given
in := []byte("BOOM")
// when
_, err := NewControls(MASTER, in)
_, err := NewControls(MASTER, in, "")
// then
assert.EqualError(t, err, "failed to unmarshal YAML: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `BOOM` into check.Controls")
})
@ -118,7 +118,7 @@ groups:
- id: G2/C1
- id: G2/C2
`)
controls, err := NewControls(MASTER, in)
controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err)
var allChecks Predicate = func(group *Group, c *Check) bool {
@ -153,7 +153,7 @@ groups:
checks:
- id: G1/C1
`)
controls, err := NewControls(MASTER, in)
controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err)
var allChecks Predicate = func(group *Group, c *Check) bool {
@ -196,7 +196,7 @@ groups:
scored: true
`)
// and
controls, err := NewControls(MASTER, in)
controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err)
// and
runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS)

View File

@ -38,7 +38,7 @@ func init() {
user := os.Getenv("USER")
s := strings.Replace(string(in), "$user", user, -1)
controls, err = NewControls(MASTER, []byte(s))
controls, err = NewControls(MASTER, []byte(s), "")
// controls, err = NewControls(MASTER, in)
if err != nil {
panic("Failed creating test controls: " + err.Error())

View File

@ -64,7 +64,7 @@ func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
}, nil
}
func runChecks(nodetype check.NodeType, testYamlFile string) {
func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
// Verify config file was loaded into Viper during Cobra sub-command initialization.
if configFileError != nil {
colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", configFileError))
@ -106,7 +106,7 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap)
s, _ = makeSubstitutions(s, "cafile", cafilemap)
controls, err := check.NewControls(nodetype, []byte(s))
controls, err := check.NewControls(nodetype, []byte(s), detectedVersion)
if err != nil {
exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err))
}
@ -123,7 +123,7 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
controlsCollection = append(controlsCollection, controls)
}
func generateDefaultEnvAudit(controls *check.Controls, binSubs []string){
func generateDefaultEnvAudit(controls *check.Controls, binSubs []string) {
for _, group := range controls.Groups {
for _, checkItem := range group.Checks {
if checkItem.Tests != nil && !checkItem.DisableEnvTesting {
@ -314,11 +314,15 @@ func loadTargetMapping(v *viper.Viper) (map[string][]string, error) {
}
func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *viper.Viper) (bv string, err error) {
detecetedKubeVersion = "none"
if !isEmpty(kubeVersion) && !isEmpty(benchmarkVersion) {
return "", fmt.Errorf("It is an error to specify both --version and --benchmark flags")
}
if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName){
if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName) {
benchmarkVersion = getPlatformBenchmarkVersion(platformName)
if !isEmpty(benchmarkVersion) {
detecetedKubeVersion = benchmarkVersion
}
}
if isEmpty(benchmarkVersion) {
@ -328,6 +332,7 @@ func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *
return "", fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err)
}
kubeVersion = kv.BaseVersion()
detecetedKubeVersion = kubeVersion
}
kubeToBenchmarkMap, err := loadVersionMapping(v)

View File

@ -630,7 +630,7 @@ groups:
Edit the config file /this/is/a/file/path and set SomeSampleFlag to true.
scored: true
`)
controls, err := check.NewControls(check.MASTER, input)
controls, err := check.NewControls(check.MASTER, input, "")
assert.NoError(t, err)
binSubs := []string{"TestBinPath"}

View File

@ -34,7 +34,7 @@ var masterCmd = &cobra.Command{
}
filename := loadConfig(check.MASTER, bv)
runChecks(check.MASTER, filename)
runChecks(check.MASTER, filename, detecetedKubeVersion)
writeOutput(controlsCollection)
},
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=master` instead.",

View File

@ -34,7 +34,7 @@ var nodeCmd = &cobra.Command{
}
filename := loadConfig(check.NODE, bv)
runChecks(check.NODE, filename)
runChecks(check.NODE, filename, detecetedKubeVersion)
writeOutput(controlsCollection)
},
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=node` instead.",

View File

@ -33,33 +33,34 @@ type FilterOpts struct {
}
var (
envVarsPrefix = "KUBE_BENCH"
defaultKubeVersion = "1.18"
kubeVersion string
benchmarkVersion string
cfgFile string
cfgDir = "./cfg/"
jsonFmt bool
junitFmt bool
pgSQL bool
aSFF bool
masterFile = "master.yaml"
nodeFile = "node.yaml"
etcdFile = "etcd.yaml"
controlplaneFile = "controlplane.yaml"
policiesFile = "policies.yaml"
managedservicesFile = "managedservices.yaml"
exitCode int
noResults bool
noSummary bool
noRemediations bool
skipIds string
noTotals bool
filterOpts FilterOpts
includeTestOutput bool
outputFile string
configFileError error
controlsCollection []*check.Controls
envVarsPrefix = "KUBE_BENCH"
defaultKubeVersion = "1.18"
kubeVersion string
detecetedKubeVersion string
benchmarkVersion string
cfgFile string
cfgDir = "./cfg/"
jsonFmt bool
junitFmt bool
pgSQL bool
aSFF bool
masterFile = "master.yaml"
nodeFile = "node.yaml"
etcdFile = "etcd.yaml"
controlplaneFile = "controlplane.yaml"
policiesFile = "policies.yaml"
managedservicesFile = "managedservices.yaml"
exitCode int
noResults bool
noSummary bool
noRemediations bool
skipIds string
noTotals bool
filterOpts FilterOpts
includeTestOutput bool
outputFile string
configFileError error
controlsCollection []*check.Controls
)
// RootCmd represents the base command when called without any subcommands
@ -76,7 +77,7 @@ var RootCmd = &cobra.Command{
if isMaster() {
glog.V(1).Info("== Running master checks ==")
runChecks(check.MASTER, loadConfig(check.MASTER, bv))
runChecks(check.MASTER, loadConfig(check.MASTER, bv), detecetedKubeVersion)
// Control Plane is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions
@ -86,7 +87,7 @@ var RootCmd = &cobra.Command{
}
if valid {
glog.V(1).Info("== Running control plane checks ==")
runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv))
runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv), detecetedKubeVersion)
}
} else {
glog.V(1).Info("== Skipping master checks ==")
@ -100,13 +101,13 @@ var RootCmd = &cobra.Command{
}
if valid && isEtcd() {
glog.V(1).Info("== Running etcd checks ==")
runChecks(check.ETCD, loadConfig(check.ETCD, bv))
runChecks(check.ETCD, loadConfig(check.ETCD, bv), detecetedKubeVersion)
} else {
glog.V(1).Info("== Skipping etcd checks ==")
}
glog.V(1).Info("== Running node checks ==")
runChecks(check.NODE, loadConfig(check.NODE, bv))
runChecks(check.NODE, loadConfig(check.NODE, bv), detecetedKubeVersion)
// Policies is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions.
@ -116,7 +117,7 @@ var RootCmd = &cobra.Command{
}
if valid {
glog.V(1).Info("== Running policies checks ==")
runChecks(check.POLICIES, loadConfig(check.POLICIES, bv))
runChecks(check.POLICIES, loadConfig(check.POLICIES, bv), detecetedKubeVersion)
} else {
glog.V(1).Info("== Skipping policies checks ==")
}
@ -129,7 +130,7 @@ var RootCmd = &cobra.Command{
}
if valid {
glog.V(1).Info("== Running managed services checks ==")
runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv))
runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv), detecetedKubeVersion)
} else {
glog.V(1).Info("== Skipping managed services checks ==")
}

View File

@ -75,7 +75,7 @@ func run(targets []string, benchmarkVersion string) (err error) {
for _, yamlFile := range yamlFiles {
_, name := filepath.Split(yamlFile)
testType := check.NodeType(strings.Split(name, ".")[0])
runChecks(testType, yamlFile)
runChecks(testType, yamlFile, detecetedKubeVersion)
}
writeOutput(controlsCollection)