mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 23:58:06 +00:00
Add detected kubernetes version (#869)
* Add detected kubernetes version to controls * Refactore NewControls function Now new Control function is expecting detected version argument. * Refactore NewControls function Now new Control function is expecting detected version argument. * Refactore NewControls function New Control function is expecting detected version argument. * Add detected kube version * add detecetedKubeVersion * Add detecetedKubeVersion * Add detectedKubeVersion * Add detecetedKubeVersion * Fix missing version * Change version Change version from 3.10 to rh-0.7 * fix version: "cis-1.5" * fix version: "cis-1.5" * fix version: "cis-1.5" * Fix version: "cis-1.5" * Fix version: "cis-1.5" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6"
This commit is contained in:
parent
182e64753e
commit
887965d31f
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.5
|
||||
version: "cis-1.5"
|
||||
id: 3
|
||||
text: "Control Plane Configuration"
|
||||
type: "controlplane"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.15
|
||||
version: "cis-1.5"
|
||||
id: 2
|
||||
text: "Etcd Node Configuration"
|
||||
type: "etcd"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.5
|
||||
version: "cis-1.5"
|
||||
id: 1
|
||||
text: "Master Node Security Configuration"
|
||||
type: "master"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.5
|
||||
version: "cis-1.5"
|
||||
id: 4
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.5
|
||||
version: "cis-1.5"
|
||||
id: 5
|
||||
text: "Kubernetes Policies"
|
||||
type: "policies"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
version: "cis-1.6"
|
||||
id: 3
|
||||
text: "Control Plane Configuration"
|
||||
type: "controlplane"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
version: "cis-1.6"
|
||||
id: 2
|
||||
text: "Etcd Node Configuration"
|
||||
type: "etcd"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
version: "cis-1.6"
|
||||
id: 1
|
||||
text: "Master Node Security Configuration"
|
||||
type: "master"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
version: "cis-1.6"
|
||||
id: 4
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
version: "cis-1.6"
|
||||
id: 5
|
||||
text: "Kubernetes Policies"
|
||||
type: "policies"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: 3.10
|
||||
version: "rh-0.7"
|
||||
id: 1
|
||||
text: "Securing the OpenShift Master"
|
||||
type: "master"
|
||||
|
@ -1,5 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: "rh-0.7"
|
||||
id: 2
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
|
@ -47,11 +47,12 @@ type OverallControls struct {
|
||||
|
||||
// Controls holds all controls to check for master nodes.
|
||||
type Controls struct {
|
||||
ID string `yaml:"id" json:"id"`
|
||||
Version string `json:"version"`
|
||||
Text string `json:"text"`
|
||||
Type NodeType `json:"node_type"`
|
||||
Groups []*Group `json:"tests"`
|
||||
ID string `yaml:"id" json:"id"`
|
||||
Version string `json:"version"`
|
||||
DetectedVersion string `json:"detected_version,omitempty"`
|
||||
Text string `json:"text"`
|
||||
Type NodeType `json:"node_type"`
|
||||
Groups []*Group `json:"tests"`
|
||||
Summary
|
||||
}
|
||||
|
||||
@ -79,7 +80,7 @@ type Summary struct {
|
||||
type Predicate func(group *Group, check *Check) bool
|
||||
|
||||
// NewControls instantiates a new master Controls object.
|
||||
func NewControls(t NodeType, in []byte) (*Controls, error) {
|
||||
func NewControls(t NodeType, in []byte, detectedVersion string) (*Controls, error) {
|
||||
c := new(Controls)
|
||||
|
||||
err := yaml.Unmarshal(in, c)
|
||||
@ -90,7 +91,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
|
||||
if t != c.Type {
|
||||
return nil, fmt.Errorf("non-%s controls file specified", t)
|
||||
}
|
||||
|
||||
c.DetectedVersion = detectedVersion
|
||||
return c, nil
|
||||
}
|
||||
|
||||
|
@ -83,7 +83,7 @@ type: # not specified
|
||||
groups:
|
||||
`)
|
||||
// when
|
||||
_, err := NewControls(MASTER, in)
|
||||
_, err := NewControls(MASTER, in, "")
|
||||
// then
|
||||
assert.EqualError(t, err, "non-master controls file specified")
|
||||
})
|
||||
@ -92,7 +92,7 @@ groups:
|
||||
// given
|
||||
in := []byte("BOOM")
|
||||
// when
|
||||
_, err := NewControls(MASTER, in)
|
||||
_, err := NewControls(MASTER, in, "")
|
||||
// then
|
||||
assert.EqualError(t, err, "failed to unmarshal YAML: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `BOOM` into check.Controls")
|
||||
})
|
||||
@ -118,7 +118,7 @@ groups:
|
||||
- id: G2/C1
|
||||
- id: G2/C2
|
||||
`)
|
||||
controls, err := NewControls(MASTER, in)
|
||||
controls, err := NewControls(MASTER, in, "")
|
||||
assert.NoError(t, err)
|
||||
|
||||
var allChecks Predicate = func(group *Group, c *Check) bool {
|
||||
@ -153,7 +153,7 @@ groups:
|
||||
checks:
|
||||
- id: G1/C1
|
||||
`)
|
||||
controls, err := NewControls(MASTER, in)
|
||||
controls, err := NewControls(MASTER, in, "")
|
||||
assert.NoError(t, err)
|
||||
|
||||
var allChecks Predicate = func(group *Group, c *Check) bool {
|
||||
@ -196,7 +196,7 @@ groups:
|
||||
scored: true
|
||||
`)
|
||||
// and
|
||||
controls, err := NewControls(MASTER, in)
|
||||
controls, err := NewControls(MASTER, in, "")
|
||||
assert.NoError(t, err)
|
||||
// and
|
||||
runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS)
|
||||
|
@ -38,7 +38,7 @@ func init() {
|
||||
user := os.Getenv("USER")
|
||||
s := strings.Replace(string(in), "$user", user, -1)
|
||||
|
||||
controls, err = NewControls(MASTER, []byte(s))
|
||||
controls, err = NewControls(MASTER, []byte(s), "")
|
||||
// controls, err = NewControls(MASTER, in)
|
||||
if err != nil {
|
||||
panic("Failed creating test controls: " + err.Error())
|
||||
|
@ -64,7 +64,7 @@ func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
|
||||
}, nil
|
||||
}
|
||||
|
||||
func runChecks(nodetype check.NodeType, testYamlFile string) {
|
||||
func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
|
||||
// Verify config file was loaded into Viper during Cobra sub-command initialization.
|
||||
if configFileError != nil {
|
||||
colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", configFileError))
|
||||
@ -106,7 +106,7 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
|
||||
s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap)
|
||||
s, _ = makeSubstitutions(s, "cafile", cafilemap)
|
||||
|
||||
controls, err := check.NewControls(nodetype, []byte(s))
|
||||
controls, err := check.NewControls(nodetype, []byte(s), detectedVersion)
|
||||
if err != nil {
|
||||
exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err))
|
||||
}
|
||||
@ -123,7 +123,7 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
|
||||
controlsCollection = append(controlsCollection, controls)
|
||||
}
|
||||
|
||||
func generateDefaultEnvAudit(controls *check.Controls, binSubs []string){
|
||||
func generateDefaultEnvAudit(controls *check.Controls, binSubs []string) {
|
||||
for _, group := range controls.Groups {
|
||||
for _, checkItem := range group.Checks {
|
||||
if checkItem.Tests != nil && !checkItem.DisableEnvTesting {
|
||||
@ -314,11 +314,15 @@ func loadTargetMapping(v *viper.Viper) (map[string][]string, error) {
|
||||
}
|
||||
|
||||
func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *viper.Viper) (bv string, err error) {
|
||||
detecetedKubeVersion = "none"
|
||||
if !isEmpty(kubeVersion) && !isEmpty(benchmarkVersion) {
|
||||
return "", fmt.Errorf("It is an error to specify both --version and --benchmark flags")
|
||||
}
|
||||
if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName){
|
||||
if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName) {
|
||||
benchmarkVersion = getPlatformBenchmarkVersion(platformName)
|
||||
if !isEmpty(benchmarkVersion) {
|
||||
detecetedKubeVersion = benchmarkVersion
|
||||
}
|
||||
}
|
||||
|
||||
if isEmpty(benchmarkVersion) {
|
||||
@ -328,6 +332,7 @@ func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *
|
||||
return "", fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err)
|
||||
}
|
||||
kubeVersion = kv.BaseVersion()
|
||||
detecetedKubeVersion = kubeVersion
|
||||
}
|
||||
|
||||
kubeToBenchmarkMap, err := loadVersionMapping(v)
|
||||
|
@ -630,7 +630,7 @@ groups:
|
||||
Edit the config file /this/is/a/file/path and set SomeSampleFlag to true.
|
||||
scored: true
|
||||
`)
|
||||
controls, err := check.NewControls(check.MASTER, input)
|
||||
controls, err := check.NewControls(check.MASTER, input, "")
|
||||
assert.NoError(t, err)
|
||||
|
||||
binSubs := []string{"TestBinPath"}
|
||||
|
@ -34,7 +34,7 @@ var masterCmd = &cobra.Command{
|
||||
}
|
||||
|
||||
filename := loadConfig(check.MASTER, bv)
|
||||
runChecks(check.MASTER, filename)
|
||||
runChecks(check.MASTER, filename, detecetedKubeVersion)
|
||||
writeOutput(controlsCollection)
|
||||
},
|
||||
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=master` instead.",
|
||||
|
@ -34,7 +34,7 @@ var nodeCmd = &cobra.Command{
|
||||
}
|
||||
|
||||
filename := loadConfig(check.NODE, bv)
|
||||
runChecks(check.NODE, filename)
|
||||
runChecks(check.NODE, filename, detecetedKubeVersion)
|
||||
writeOutput(controlsCollection)
|
||||
},
|
||||
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=node` instead.",
|
||||
|
67
cmd/root.go
67
cmd/root.go
@ -33,33 +33,34 @@ type FilterOpts struct {
|
||||
}
|
||||
|
||||
var (
|
||||
envVarsPrefix = "KUBE_BENCH"
|
||||
defaultKubeVersion = "1.18"
|
||||
kubeVersion string
|
||||
benchmarkVersion string
|
||||
cfgFile string
|
||||
cfgDir = "./cfg/"
|
||||
jsonFmt bool
|
||||
junitFmt bool
|
||||
pgSQL bool
|
||||
aSFF bool
|
||||
masterFile = "master.yaml"
|
||||
nodeFile = "node.yaml"
|
||||
etcdFile = "etcd.yaml"
|
||||
controlplaneFile = "controlplane.yaml"
|
||||
policiesFile = "policies.yaml"
|
||||
managedservicesFile = "managedservices.yaml"
|
||||
exitCode int
|
||||
noResults bool
|
||||
noSummary bool
|
||||
noRemediations bool
|
||||
skipIds string
|
||||
noTotals bool
|
||||
filterOpts FilterOpts
|
||||
includeTestOutput bool
|
||||
outputFile string
|
||||
configFileError error
|
||||
controlsCollection []*check.Controls
|
||||
envVarsPrefix = "KUBE_BENCH"
|
||||
defaultKubeVersion = "1.18"
|
||||
kubeVersion string
|
||||
detecetedKubeVersion string
|
||||
benchmarkVersion string
|
||||
cfgFile string
|
||||
cfgDir = "./cfg/"
|
||||
jsonFmt bool
|
||||
junitFmt bool
|
||||
pgSQL bool
|
||||
aSFF bool
|
||||
masterFile = "master.yaml"
|
||||
nodeFile = "node.yaml"
|
||||
etcdFile = "etcd.yaml"
|
||||
controlplaneFile = "controlplane.yaml"
|
||||
policiesFile = "policies.yaml"
|
||||
managedservicesFile = "managedservices.yaml"
|
||||
exitCode int
|
||||
noResults bool
|
||||
noSummary bool
|
||||
noRemediations bool
|
||||
skipIds string
|
||||
noTotals bool
|
||||
filterOpts FilterOpts
|
||||
includeTestOutput bool
|
||||
outputFile string
|
||||
configFileError error
|
||||
controlsCollection []*check.Controls
|
||||
)
|
||||
|
||||
// RootCmd represents the base command when called without any subcommands
|
||||
@ -76,7 +77,7 @@ var RootCmd = &cobra.Command{
|
||||
|
||||
if isMaster() {
|
||||
glog.V(1).Info("== Running master checks ==")
|
||||
runChecks(check.MASTER, loadConfig(check.MASTER, bv))
|
||||
runChecks(check.MASTER, loadConfig(check.MASTER, bv), detecetedKubeVersion)
|
||||
|
||||
// Control Plane is only valid for CIS 1.5 and later,
|
||||
// this a gatekeeper for previous versions
|
||||
@ -86,7 +87,7 @@ var RootCmd = &cobra.Command{
|
||||
}
|
||||
if valid {
|
||||
glog.V(1).Info("== Running control plane checks ==")
|
||||
runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv))
|
||||
runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv), detecetedKubeVersion)
|
||||
}
|
||||
} else {
|
||||
glog.V(1).Info("== Skipping master checks ==")
|
||||
@ -100,13 +101,13 @@ var RootCmd = &cobra.Command{
|
||||
}
|
||||
if valid && isEtcd() {
|
||||
glog.V(1).Info("== Running etcd checks ==")
|
||||
runChecks(check.ETCD, loadConfig(check.ETCD, bv))
|
||||
runChecks(check.ETCD, loadConfig(check.ETCD, bv), detecetedKubeVersion)
|
||||
} else {
|
||||
glog.V(1).Info("== Skipping etcd checks ==")
|
||||
}
|
||||
|
||||
glog.V(1).Info("== Running node checks ==")
|
||||
runChecks(check.NODE, loadConfig(check.NODE, bv))
|
||||
runChecks(check.NODE, loadConfig(check.NODE, bv), detecetedKubeVersion)
|
||||
|
||||
// Policies is only valid for CIS 1.5 and later,
|
||||
// this a gatekeeper for previous versions.
|
||||
@ -116,7 +117,7 @@ var RootCmd = &cobra.Command{
|
||||
}
|
||||
if valid {
|
||||
glog.V(1).Info("== Running policies checks ==")
|
||||
runChecks(check.POLICIES, loadConfig(check.POLICIES, bv))
|
||||
runChecks(check.POLICIES, loadConfig(check.POLICIES, bv), detecetedKubeVersion)
|
||||
} else {
|
||||
glog.V(1).Info("== Skipping policies checks ==")
|
||||
}
|
||||
@ -129,7 +130,7 @@ var RootCmd = &cobra.Command{
|
||||
}
|
||||
if valid {
|
||||
glog.V(1).Info("== Running managed services checks ==")
|
||||
runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv))
|
||||
runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv), detecetedKubeVersion)
|
||||
} else {
|
||||
glog.V(1).Info("== Skipping managed services checks ==")
|
||||
}
|
||||
|
@ -75,7 +75,7 @@ func run(targets []string, benchmarkVersion string) (err error) {
|
||||
for _, yamlFile := range yamlFiles {
|
||||
_, name := filepath.Split(yamlFile)
|
||||
testType := check.NodeType(strings.Split(name, ".")[0])
|
||||
runChecks(testType, yamlFile)
|
||||
runChecks(testType, yamlFile, detecetedKubeVersion)
|
||||
}
|
||||
|
||||
writeOutput(controlsCollection)
|
||||
|
Loading…
Reference in New Issue
Block a user