1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00

Add detected kubernetes version (#869)

* Add detected kubernetes version to controls

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

New Control function is expecting detected version argument.

* Add detected kube version

* add detecetedKubeVersion

* Add detecetedKubeVersion

* Add detectedKubeVersion

* Add detecetedKubeVersion

* Fix missing version

* Change version

Change version from 3.10 to rh-0.7

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"
This commit is contained in:
Yoav Rotem 2021-05-09 14:48:34 +03:00 committed by GitHub
parent 182e64753e
commit 887965d31f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 73 additions and 65 deletions

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 3 id: 3
text: "Control Plane Configuration" text: "Control Plane Configuration"
type: "controlplane" type: "controlplane"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.15 version: "cis-1.5"
id: 2 id: 2
text: "Etcd Node Configuration" text: "Etcd Node Configuration"
type: "etcd" type: "etcd"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 1 id: 1
text: "Master Node Security Configuration" text: "Master Node Security Configuration"
type: "master" type: "master"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 4 id: 4
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.5 version: "cis-1.5"
id: 5 id: 5
text: "Kubernetes Policies" text: "Kubernetes Policies"
type: "policies" type: "policies"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 3 id: 3
text: "Control Plane Configuration" text: "Control Plane Configuration"
type: "controlplane" type: "controlplane"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 2 id: 2
text: "Etcd Node Configuration" text: "Etcd Node Configuration"
type: "etcd" type: "etcd"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 1 id: 1
text: "Master Node Security Configuration" text: "Master Node Security Configuration"
type: "master" type: "master"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 4 id: 4
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 1.6 version: "cis-1.6"
id: 5 id: 5
text: "Kubernetes Policies" text: "Kubernetes Policies"
type: "policies" type: "policies"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: 3.10 version: "rh-0.7"
id: 1 id: 1
text: "Securing the OpenShift Master" text: "Securing the OpenShift Master"
type: "master" type: "master"

View File

@ -1,5 +1,6 @@
--- ---
controls: controls:
version: "rh-0.7"
id: 2 id: 2
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"

View File

@ -49,6 +49,7 @@ type OverallControls struct {
type Controls struct { type Controls struct {
ID string `yaml:"id" json:"id"` ID string `yaml:"id" json:"id"`
Version string `json:"version"` Version string `json:"version"`
DetectedVersion string `json:"detected_version,omitempty"`
Text string `json:"text"` Text string `json:"text"`
Type NodeType `json:"node_type"` Type NodeType `json:"node_type"`
Groups []*Group `json:"tests"` Groups []*Group `json:"tests"`
@ -79,7 +80,7 @@ type Summary struct {
type Predicate func(group *Group, check *Check) bool type Predicate func(group *Group, check *Check) bool
// NewControls instantiates a new master Controls object. // NewControls instantiates a new master Controls object.
func NewControls(t NodeType, in []byte) (*Controls, error) { func NewControls(t NodeType, in []byte, detectedVersion string) (*Controls, error) {
c := new(Controls) c := new(Controls)
err := yaml.Unmarshal(in, c) err := yaml.Unmarshal(in, c)
@ -90,7 +91,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
if t != c.Type { if t != c.Type {
return nil, fmt.Errorf("non-%s controls file specified", t) return nil, fmt.Errorf("non-%s controls file specified", t)
} }
c.DetectedVersion = detectedVersion
return c, nil return c, nil
} }

View File

@ -83,7 +83,7 @@ type: # not specified
groups: groups:
`) `)
// when // when
_, err := NewControls(MASTER, in) _, err := NewControls(MASTER, in, "")
// then // then
assert.EqualError(t, err, "non-master controls file specified") assert.EqualError(t, err, "non-master controls file specified")
}) })
@ -92,7 +92,7 @@ groups:
// given // given
in := []byte("BOOM") in := []byte("BOOM")
// when // when
_, err := NewControls(MASTER, in) _, err := NewControls(MASTER, in, "")
// then // then
assert.EqualError(t, err, "failed to unmarshal YAML: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `BOOM` into check.Controls") assert.EqualError(t, err, "failed to unmarshal YAML: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `BOOM` into check.Controls")
}) })
@ -118,7 +118,7 @@ groups:
- id: G2/C1 - id: G2/C1
- id: G2/C2 - id: G2/C2
`) `)
controls, err := NewControls(MASTER, in) controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err) assert.NoError(t, err)
var allChecks Predicate = func(group *Group, c *Check) bool { var allChecks Predicate = func(group *Group, c *Check) bool {
@ -153,7 +153,7 @@ groups:
checks: checks:
- id: G1/C1 - id: G1/C1
`) `)
controls, err := NewControls(MASTER, in) controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err) assert.NoError(t, err)
var allChecks Predicate = func(group *Group, c *Check) bool { var allChecks Predicate = func(group *Group, c *Check) bool {
@ -196,7 +196,7 @@ groups:
scored: true scored: true
`) `)
// and // and
controls, err := NewControls(MASTER, in) controls, err := NewControls(MASTER, in, "")
assert.NoError(t, err) assert.NoError(t, err)
// and // and
runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS) runner.On("Run", controls.Groups[0].Checks[0]).Return(PASS)

View File

@ -38,7 +38,7 @@ func init() {
user := os.Getenv("USER") user := os.Getenv("USER")
s := strings.Replace(string(in), "$user", user, -1) s := strings.Replace(string(in), "$user", user, -1)
controls, err = NewControls(MASTER, []byte(s)) controls, err = NewControls(MASTER, []byte(s), "")
// controls, err = NewControls(MASTER, in) // controls, err = NewControls(MASTER, in)
if err != nil { if err != nil {
panic("Failed creating test controls: " + err.Error()) panic("Failed creating test controls: " + err.Error())

View File

@ -64,7 +64,7 @@ func NewRunFilter(opts FilterOpts) (check.Predicate, error) {
}, nil }, nil
} }
func runChecks(nodetype check.NodeType, testYamlFile string) { func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
// Verify config file was loaded into Viper during Cobra sub-command initialization. // Verify config file was loaded into Viper during Cobra sub-command initialization.
if configFileError != nil { if configFileError != nil {
colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", configFileError)) colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", configFileError))
@ -106,7 +106,7 @@ func runChecks(nodetype check.NodeType, testYamlFile string) {
s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap) s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap)
s, _ = makeSubstitutions(s, "cafile", cafilemap) s, _ = makeSubstitutions(s, "cafile", cafilemap)
controls, err := check.NewControls(nodetype, []byte(s)) controls, err := check.NewControls(nodetype, []byte(s), detectedVersion)
if err != nil { if err != nil {
exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err)) exitWithError(fmt.Errorf("error setting up %s controls: %v", nodetype, err))
} }
@ -314,11 +314,15 @@ func loadTargetMapping(v *viper.Viper) (map[string][]string, error) {
} }
func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *viper.Viper) (bv string, err error) { func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *viper.Viper) (bv string, err error) {
detecetedKubeVersion = "none"
if !isEmpty(kubeVersion) && !isEmpty(benchmarkVersion) { if !isEmpty(kubeVersion) && !isEmpty(benchmarkVersion) {
return "", fmt.Errorf("It is an error to specify both --version and --benchmark flags") return "", fmt.Errorf("It is an error to specify both --version and --benchmark flags")
} }
if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName) { if isEmpty(benchmarkVersion) && isEmpty(kubeVersion) && !isEmpty(platformName) {
benchmarkVersion = getPlatformBenchmarkVersion(platformName) benchmarkVersion = getPlatformBenchmarkVersion(platformName)
if !isEmpty(benchmarkVersion) {
detecetedKubeVersion = benchmarkVersion
}
} }
if isEmpty(benchmarkVersion) { if isEmpty(benchmarkVersion) {
@ -328,6 +332,7 @@ func getBenchmarkVersion(kubeVersion, benchmarkVersion, platformName string, v *
return "", fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err) return "", fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err)
} }
kubeVersion = kv.BaseVersion() kubeVersion = kv.BaseVersion()
detecetedKubeVersion = kubeVersion
} }
kubeToBenchmarkMap, err := loadVersionMapping(v) kubeToBenchmarkMap, err := loadVersionMapping(v)

View File

@ -630,7 +630,7 @@ groups:
Edit the config file /this/is/a/file/path and set SomeSampleFlag to true. Edit the config file /this/is/a/file/path and set SomeSampleFlag to true.
scored: true scored: true
`) `)
controls, err := check.NewControls(check.MASTER, input) controls, err := check.NewControls(check.MASTER, input, "")
assert.NoError(t, err) assert.NoError(t, err)
binSubs := []string{"TestBinPath"} binSubs := []string{"TestBinPath"}

View File

@ -34,7 +34,7 @@ var masterCmd = &cobra.Command{
} }
filename := loadConfig(check.MASTER, bv) filename := loadConfig(check.MASTER, bv)
runChecks(check.MASTER, filename) runChecks(check.MASTER, filename, detecetedKubeVersion)
writeOutput(controlsCollection) writeOutput(controlsCollection)
}, },
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=master` instead.", Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=master` instead.",

View File

@ -34,7 +34,7 @@ var nodeCmd = &cobra.Command{
} }
filename := loadConfig(check.NODE, bv) filename := loadConfig(check.NODE, bv)
runChecks(check.NODE, filename) runChecks(check.NODE, filename, detecetedKubeVersion)
writeOutput(controlsCollection) writeOutput(controlsCollection)
}, },
Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=node` instead.", Deprecated: "this command will be retired soon. Please use the `run` command with `--targets=node` instead.",

View File

@ -36,6 +36,7 @@ var (
envVarsPrefix = "KUBE_BENCH" envVarsPrefix = "KUBE_BENCH"
defaultKubeVersion = "1.18" defaultKubeVersion = "1.18"
kubeVersion string kubeVersion string
detecetedKubeVersion string
benchmarkVersion string benchmarkVersion string
cfgFile string cfgFile string
cfgDir = "./cfg/" cfgDir = "./cfg/"
@ -76,7 +77,7 @@ var RootCmd = &cobra.Command{
if isMaster() { if isMaster() {
glog.V(1).Info("== Running master checks ==") glog.V(1).Info("== Running master checks ==")
runChecks(check.MASTER, loadConfig(check.MASTER, bv)) runChecks(check.MASTER, loadConfig(check.MASTER, bv), detecetedKubeVersion)
// Control Plane is only valid for CIS 1.5 and later, // Control Plane is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions // this a gatekeeper for previous versions
@ -86,7 +87,7 @@ var RootCmd = &cobra.Command{
} }
if valid { if valid {
glog.V(1).Info("== Running control plane checks ==") glog.V(1).Info("== Running control plane checks ==")
runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv)) runChecks(check.CONTROLPLANE, loadConfig(check.CONTROLPLANE, bv), detecetedKubeVersion)
} }
} else { } else {
glog.V(1).Info("== Skipping master checks ==") glog.V(1).Info("== Skipping master checks ==")
@ -100,13 +101,13 @@ var RootCmd = &cobra.Command{
} }
if valid && isEtcd() { if valid && isEtcd() {
glog.V(1).Info("== Running etcd checks ==") glog.V(1).Info("== Running etcd checks ==")
runChecks(check.ETCD, loadConfig(check.ETCD, bv)) runChecks(check.ETCD, loadConfig(check.ETCD, bv), detecetedKubeVersion)
} else { } else {
glog.V(1).Info("== Skipping etcd checks ==") glog.V(1).Info("== Skipping etcd checks ==")
} }
glog.V(1).Info("== Running node checks ==") glog.V(1).Info("== Running node checks ==")
runChecks(check.NODE, loadConfig(check.NODE, bv)) runChecks(check.NODE, loadConfig(check.NODE, bv), detecetedKubeVersion)
// Policies is only valid for CIS 1.5 and later, // Policies is only valid for CIS 1.5 and later,
// this a gatekeeper for previous versions. // this a gatekeeper for previous versions.
@ -116,7 +117,7 @@ var RootCmd = &cobra.Command{
} }
if valid { if valid {
glog.V(1).Info("== Running policies checks ==") glog.V(1).Info("== Running policies checks ==")
runChecks(check.POLICIES, loadConfig(check.POLICIES, bv)) runChecks(check.POLICIES, loadConfig(check.POLICIES, bv), detecetedKubeVersion)
} else { } else {
glog.V(1).Info("== Skipping policies checks ==") glog.V(1).Info("== Skipping policies checks ==")
} }
@ -129,7 +130,7 @@ var RootCmd = &cobra.Command{
} }
if valid { if valid {
glog.V(1).Info("== Running managed services checks ==") glog.V(1).Info("== Running managed services checks ==")
runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv)) runChecks(check.MANAGEDSERVICES, loadConfig(check.MANAGEDSERVICES, bv), detecetedKubeVersion)
} else { } else {
glog.V(1).Info("== Skipping managed services checks ==") glog.V(1).Info("== Skipping managed services checks ==")
} }

View File

@ -75,7 +75,7 @@ func run(targets []string, benchmarkVersion string) (err error) {
for _, yamlFile := range yamlFiles { for _, yamlFile := range yamlFiles {
_, name := filepath.Split(yamlFile) _, name := filepath.Split(yamlFile)
testType := check.NodeType(strings.Split(name, ".")[0]) testType := check.NodeType(strings.Split(name, ".")[0])
runChecks(testType, yamlFile) runChecks(testType, yamlFile, detecetedKubeVersion)
} }
writeOutput(controlsCollection) writeOutput(controlsCollection)